Set "target" in JSON filter to be variable

I'm trying to use json filter to parse logs but I want to save them under a new field. I know that I can do something like the following:

    filter {
        json{
            source => "message"
            target => "foo"
        }
    }

But I want to use target as variable.

For example, assume that I have the following:

{
  "_index": "filebeat-7.3.0-2020.09.22",
  "_type": "_doc",
  "_id": "LKqHs3QBl7NXO7ofpbfK",
  "_score": 1,
  "_source": {
    ...
    ...
    "message": "{\"level\":\"info\",\"timestamp\":\"2020-09-22T01:54:58.894Z\",\"caller\":\"middleware@v1.0.3/logger.go:59\",\"message\":\"Default Log\",\"requestId\":\"2917737d-d98f-4ed4-b9b5-8c614daf2e2e\",\"method\":\"POST\",\"endpoint\":\"/v1/automation-job/dequeue\",\"StatusCode\":404,\"duration\":\"1.441251ms\"}",
    ...
    ...

    "kubernetes": {
      "container": {
        "name": "test-foo"
      },
      ...
    }
  },
}

I want to set "target" value to be the value of kubernetes.container.name. In this case, it will be = test-foo. And if the value of kubernetes.container.name changed, the target field changes accordingly.

I tried to use the following setups but they didn't work:

    filter {
        json{
            source => "message"
            target => "%{[kubernetes][container][name]}"
        }
    }

    filter {
        json{
            source => "message"
            target => "%{kubernetes.container.name}"
        }
    }

    filter {
        json{
            source => "message"
            target => [kubernetes][container][name]
        }
    }

Any help, please?

logstash version. 7.3.0
elasticsearch 7.3.0

I do not think that can be done directly, but you could use a fixed target and then move it using mutate.

Wow, It worked that way. It weird thought that target can't be variable.

Thanks very much

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.