Some logs not work with elasticsearch

Elastic Stack Elasticsearch
1

I have two logs:

{"message":"hello","context":{"user_id":"xxxxxx","error":{"ERROR":"Invalid x or y"}},"level":400,"level_name":"ERROR","channel":"production","datetime":"2022-08-02T11:59:02.238022+04:30","extra":{}}

and

{"message":"hello2","context":{"arr":{"ERROR":"Invalid x or y"},"w":"wwwwww","x":"xxxxxx","y":"yyyyyyy","user_id":"xxxxx"},"level":200,"level_name":"INFO","channel":"production","datetime":"2022-08-02T12:08:57.528514+04:30","extra":{}}

I cannot see the first log, but the second log can be shown in kibana.
anyone has an idea?

2

You need to provide a bit more information please.
How are you indexing things to Elasticsearch?

3

I'm using beats and logstash with simple json filter:

filter {
  json {
    source => "message"
    target => "message"
  }
}
4

Ok, does Logstash report an error for that event?

5

I found the problem:
I cannot use ERROR.ERROR
I must rename the inner ERROR
but I don't know how!

6

I just rename the ERROR field and now everything is OK.

  mutate {
    rename => { "[message][context][error]" => "[message][context][prr]" }
  }
7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.