Splitting message field

Good morning we have recently just set up kibana and don't have much knowledge on it. It is splitting everything well apart from our message which can be seen below.

2020-02-11T11:59:25.700Z das43423-fsdads434-sfafd4 INFO => using existing write database connection

As you can see the message has a timestamp in it which we don't need, then an ID, log type and the actual log. What we would like to do is strip out the timestamp as we have a seperate timestamp field, then create a field for the ID, log type and the actual log from our message. What is the best way to do this please?

Hi,

How are you indexing data in elasticsearch?
Can you please share your index mapping? It's really difficult to understand the problem without this information.

we are using functionbeat 7.5.2

AFIK Kibana doesn't parse. Your documents[messages] should be indexed into elasticsearch with required fields[splits].
Check your index mappings to know your document structure and split message field at the source.

cool i thought that might be how we have to go about it thanks, do you have any example of splitting fields through mappings? I can't see any examples online of how to do it.

You cannot do it through mapping. I asked for mapping, just to find your document structure. If you want any split at elasticsearch when indexing, you can use the ingest pipeline processors.

https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline.html

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.