Hi everyone,
i plan to whitelist some fields, but they are nested field. i already tried prune to whitelist them and it didn't work. for example:
Request Body : {"tipe":"FF","nama":"ABC","nik":"","handphone":"00012","email":"","channelId":"7777","clientId":"1234"}
if i want to whitelist only channelId and clientId, how do i do that? Thanks
How does it look in LS?
If is nested like:
"Request Body" : {"tipe":"FF","nama":"ABC","nik":"","handphone":"00012","email":"","channelId":"7777","clientId":"1234"}
then should be like this:
["Request Body"]["tipe"]
["Request Body"]["nama"]
...
If are not nested, then is simple just "tipe"
oh, sorry i forget to tell you that i have a json filter like this:
json{
source => "requestBody"
target => "requestBody"
skip_on_invalid_json => true
}
i tried using prune like this before but it didn't work:
[requestBody][channelId], [requestBody][clientId]
is "" inside the bracket will take effect?
Should be like this: [requestBody][channelId]
If is still not working, check in ruby debugger, you might have an array like this [requestBody][0][channelId]
A prune filter only operates on top-level fields, it cannot whitelist or blacklist nested fields.
As workaround, then you can copy white list fields in another fields, and remove requestBody
mutate { remove_field => ["requestBody"] }
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.