SOLVED - Logstash Filter Help - Hash

Wayne_Taylor · February 25, 2018, 5:47pm

Team,

I have an SQS message which has an embedded message that I want to parse and take out each element. I have SQS input working - but when it gets to ES it looks for the message part. Example

"REALTIMEEVENT": {
"type": "UPDATE",
"attributes": {
"id": "123456"
"technology": "NC",
"state": "TOUCHDOWN",
"owner": "SLI"
}
}

I want to use type for document type, ID for document ID and have the owner etc as actual elements.

In Kibana UI the fields look like REALTIMEEVENT.attributes.id etc.

Any ideas.

Thanks

magnusbaeck · February 25, 2018, 8:36pm

You can use a mutate filter to rename fields from e.g. [REALTIMEEVENT][technology] to plain technology. To set the document type and id in your elasticsearch output, reference the fields whose values you want to pick up using the %{fieldname} notation described at https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#logstash-config-field-references.

Wayne_Taylor · February 25, 2018, 10:14pm

Thank you @magnusbaeck - the rename worked fine. As for the referencing fields I had that covered - but thanks

Topic		Replies	Views
How to create custom document _id in logstash? Logstash	7	10958	February 20, 2018
Can logstash get the type of field? Logstash	7	8180	July 6, 2017
Error in Parsing logs Elasticsearch	2	644	January 11, 2019
Logstash elasticsearch filter plugin Logstash	2	596	July 6, 2017
Elasticsearch filter and input on different events Logstash	4	2053	November 21, 2017

SOLVED - Logstash Filter Help - Hash

Related topics