SOLVED - Logstash Filter Help - Hash

Wayne_Taylor · February 25, 2018, 5:47pm

Team,

I have an SQS message which has an embedded message that I want to parse and take out each element. I have SQS input working - but when it gets to ES it looks for the message part. Example

"REALTIMEEVENT": {
"type": "UPDATE",
"attributes": {
"id": "123456"
"technology": "NC",
"state": "TOUCHDOWN",
"owner": "SLI"
}
}

I want to use type for document type, ID for document ID and have the owner etc as actual elements.

In Kibana UI the fields look like REALTIMEEVENT.attributes.id etc.

Any ideas.

Thanks

magnusbaeck · February 25, 2018, 8:36pm

You can use a mutate filter to rename fields from e.g. [REALTIMEEVENT][technology] to plain technology. To set the document type and id in your elasticsearch output, reference the fields whose values you want to pick up using the %{fieldname} notation described at https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#logstash-config-field-references.

Wayne_Taylor · February 25, 2018, 10:14pm

Thank you @magnusbaeck - the rename worked fine. As for the referencing fields I had that covered - but thanks

system · March 25, 2018, 10:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.