Oddness with decode_json_fields and json.keys_under_root

LollerAgent · May 22, 2018, 1:00pm

Given the following configuration:

filebeat.prospectors:
- type: docker
  containers.ids:
    - ea97d09738e4bdf7b41cb926ab1276110ed3ce93f73f005d4f5da540ef0928c1
  processors:
  - add_docker_metadata: ~
  - decode_json_fields:
      fields: ["message"]
      target: "log"

The message field is decoded into the log (target) field, but the original message field remains as an encoded string at the root of the JSON object:

  "log": {
    "message": "",
    "level": "info",
    "distributed_trace_id": "",
    "http": {
      "request": {
        "remote_ip": "173.197.145.174",
        "method": "GET",
        "path": "/stylesheets/fonts/WhitneySSm-BookItalic.ttf",
        "host": ""
      },
      "response": {
        "status_code": 404
      }
    },
    "legacy_message": "ts=2018-05-21T20:48:51.880970898Z method=GET path=/stylesheets/fonts/WhitneySSm-BookItalic.ttf host= remote_ip=173.197.145.174"
  },
...
  "message": "{\"legacy_message\":\"ts=2018-05-21T20:48:51.880970898Z method=GET path=/stylesheets/fonts/WhitneySSm-BookItalic.ttf host= remote_ip=173.197.145.174\",\"message\":\"\",\"level\":\"info\",\"distributed_trace_id\":\"\",\"http\":{\"request\":{\"method\":\"GET\",\"path\":\"/stylesheets/fonts/WhitneySSm-BookItalic.ttf\",\"host\":\"\",\"remote_ip\":\"173.197.145.174\"},\"response\":{\"status_code\":404}}}",

If I add json.keys_under_root: false (which is false by default, right?) - the message field gets decoded underneath a new json key (not log as defined by the target) but the original message key gets deleted:

  "json": {
    "legacy_message": "ts=2018-05-21T20:46:41.807431938Z method=GET path=/stylesheets/fonts/WhitneySSm-BookItalic.ttf host= remote_ip=173.197.145.174",
    "message": "",
    "level": "info",
    "distributed_trace_id": "",
    "http": {
      "request": {
        "method": "GET",
        "path": "/stylesheets/fonts/WhitneySSm-BookItalic.ttf",
        "host": "",
        "remote_ip": "173.197.145.174"
      },
      "response": {
        "status_code": 404
      }
    }
  },

What is the correct behavior here? This seems odd. My goal is to get the decoded message field under a new log key, but delete the original message field that includes the encoded JSON. Is this possible? This is in 6.2.4.

jsoriano · May 22, 2018, 2:36pm

Indeed this behaviour is a bit odd, but this may be caused by some tricky behaviour of the different json parsing options, that are intended for different use cases.

For what you are trying to do, you can keep using the decode_json_fields option, and to delete the original message field add the drop_fields processor, like this:

 - drop_fields:
     fields: ["message"]

system · June 19, 2018, 2:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Decode_json_fields.fields: ["message"] decodes JSON logs with "logs" Beats filebeat	1	325	September 30, 2019
Can filebeat decode embedded json string in a particular field Beats filebeat	3	871	September 17, 2016
Condition with decode_json_fields processor Beats filebeat	10	11454	February 13, 2018
Decode json logs filebeat docker hints-based autodiscover Beats filebeat	4	2465	July 19, 2019
Elastic agent filebeat processors' decode_json_fields error Elastic Agent filebeat	1	321	September 27, 2022

Oddness with decode_json_fields and json.keys_under_root

Related topics