SOLVED - Logstash Filter Help - Hash

Wayne_Taylor · February 25, 2018, 5:47pm

Team,

I have an SQS message which has an embedded message that I want to parse and take out each element. I have SQS input working - but when it gets to ES it looks for the message part. Example

"REALTIMEEVENT": {
"type": "UPDATE",
"attributes": {
"id": "123456"
"technology": "NC",
"state": "TOUCHDOWN",
"owner": "SLI"
}
}

I want to use type for document type, ID for document ID and have the owner etc as actual elements.

In Kibana UI the fields look like REALTIMEEVENT.attributes.id etc.

Any ideas.

Thanks

magnusbaeck · February 25, 2018, 8:36pm

You can use a mutate filter to rename fields from e.g. [REALTIMEEVENT][technology] to plain technology. To set the document type and id in your elasticsearch output, reference the fields whose values you want to pick up using the %{fieldname} notation described at https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#logstash-config-field-references.

Wayne_Taylor · February 25, 2018, 10:14pm

Thank you @magnusbaeck - the rename worked fine. As for the referencing fields I had that covered - but thanks

system · March 25, 2018, 10:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch filter and input on different events Logstash	4	2011	November 21, 2017
Logstash 2.1: Dynamically Altering Field Names Logstash	6	1582	July 6, 2017
Using KV with JSON Logstash	7	2498	July 6, 2017
Elastic Json parse into logstash Logstash	30	1201	November 22, 2018
Elasticsearch Querying a document to grab field using another documents field value Elasticsearch runtime-fields	4	848	May 23, 2023

SOLVED - Logstash Filter Help - Hash

Related topics