We're performing Elasticsearch updates with scripts and upserts and we want to wrap everything in the Logstash filter into another object.
Take for instance:
grok {
patterns_dir => "/etc/logstash/grok_patterns"
break_on_match => false
match => {
"message" => [
"^Foo=%{NWGREEDYDATA:Foo}"
}
We would like to be able to grab this entire message + filebeat data and put this into an object. This object then would be sent to Elasticsearch like this:
{
"events": {
"Foo": "bar"
"beats": {
"host": "foo.domain.com"
......
}
}
How would we go about this?