I would use the json filter instead. You should add a conditional check to see if the message field "looks" like JSON.
if [message] =~ "\A\{.+\}\z" {
json { .. }
}
or similar.
Be aware that the JSON might be an array of objects [{},{}]
I would use the json filter instead. You should add a conditional check to see if the message field "looks" like JSON.
if [message] =~ "\A\{.+\}\z" {
json { .. }
}
or similar.
Be aware that the JSON might be an array of objects [{},{}]
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.