Replies: 2 comments 1 reply
-
|
I'm doing this on filebeat itself: This could work for you as well. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
thank u |
Beta Was this translation helpful? Give feedback.
-
|
In your remap component you can use the merge() function to combine your parsed transforms:
parse_logs:
type: remap
inputs: ["dummy_logs"]
source: |
json = parse_json!(.message)
json.log_timestamp = del(json.@timestamp)
merge(., object!(json))
del(.message)
del(.agent)
del(.ecs)
del(.input)
del(.log)
''' |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Kafka log content is about as follows:
{ "@metadata": { "beat": "filebeat", "type": "_doc", "version": "7.10.0" }, "message": { "upstream_response_time": "0.056", "upstream_status": "200" } }And Finally, there will be more message fields written in elasticsearch,as follows
The vector configuration is as follows
[transforms.parse_logs]
type = "json_parser"
inputs = ["dummy_logs"]
source = '''
. = parse_json!(.message)
.message = parse_json!(.message)
'''
My purpose is to finally display on elasticsearch, there is no message field,as follows
Beta Was this translation helpful? Give feedback.
All reactions