I wanted to create index based on the key 'request-id' which inside json body of the log message.
I am trying to put filter on filebeat.config to get the logs based on request-id.
I wanted to know how can i parse json message into ES fields so that I can apply filter on the same.
Can you share your filebeat configuration? Inputs support json parsing, plus Beats also provide a processor for parsing json.
This is my config settings:
I am using processors: decode_json_fields
Expectation is to create index based on the key coming in Json body of the message.
Please do not share pictures of config files or logs.
From you configuration it looks like the log message is already parsed, yet the first screenshot shows that it is not parsed. Did you just added the processors?
Once you have the json correctly parsed you can configure the index name in output.elasticsearch.index: '%{[field.name]}. Problem is that your request_id is an array of strings, but we need a string. For extracting the ID from the array you will need this process that is currently in development.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
