Hi guys,
I'm trying to use the official website documentation for filebeat renaming field from the json but doesn't work so I ve decided to post here what i ve done and learn more about my mistake. I want to rename for example the field "s" to "severity" and "i" to "info".
The json example:
{
* "took":1,
* "timed_out":false,
* "_shards":{},
* "hits":{
* "total":{
* "value":490,
* "relation":"eq"},
* "max_score":1.0,
* "hits":[
1. {
* "_index":"filebeat-7.10.2-2023.07.11-000001",
* "_type":"_doc",
* "_id":"orEURYkBcFrHMc1Pavyg",
* "_score":1.0,
* "_source":{
* "@timestamp":"2023-07-11T13:11:50.211Z",
* "attr":{},
* "message":"{\"t\":{\"$date\":\"2023-07-11T03:20:02.253+00:00\"},\"s\":\"I\", \"c\":\"CONTROL\", \"id\":20721, \"ctx\":\"SignalHandler\",\"msg\":\"Process Details\",\"attr\":{\"pid\":\"1509\",\"port\":27018,\"architecture\":\"64-bit\",\"host\":\"mongoserver\"}}",
* "agent":{},
* "c":"CONTROL",
* "s":"I",
* "log":{
* "offset":0,
* "file":{
* "path":"/tmp/mongod.log"}},
* "host":{
* "name":"ecs-basic"},
* "t":{
* "$date":"2023-07-11T03:20:02.253+00:00"},
My filebeat.yml looks like:
processors:
- rename:
fields:
- from: "hits.hits._source.s"
to: "hits.hits._source.severity"
ignore_missing: false
fail_on_error: true