0

I am having a query related to grok processor. For example this is my message filed 

{
"message":"agentId:agent003"
}

I want to Grok this and my output should me something like this

{
"message":"agentId:agent003",
"agentId":"agent003"
}

Could some one help me on this how to achieve this? If i am able to do it for one field i can manage for rest of my fields. Thanks in advance.

This is the pipeline i have created in elasticsearch

PUT _ingest/pipeline/dissectpipeline
{
  "description" : "split message content",
  "processors": [
    {
      "dissect": {
      "field": "message",
      "pattern" : "%{apm_application_message.agentId}:%{apm_application_message.agentId}"
   }
    }
  ]
}

Central management added filebeat module other config

- pipeline:
    if: ctx.first_char == '{'
    name: '{< IngestPipeline "dissectpipeline" >}'

There is no error with my filebeat it's working fine but i am unable to find any field like apm_application_message.agentId in index.

How to make sure my pipeline working or not. Also if i am doing something wrong please let me know.

Improve this question

1 Answer 1

Reset to default
1

Instead of grok I'd suggest using the dissect filter instead with, which is more intuitive and easier to use.

dissect {
  mapping => {
    "message" => "%{?agentId}:%{&agentId}"
  }
}

If you're using Filebeat, there is also the possibility to use the dissect processor:

processors:
  - dissect:
      tokenizer: "%{?agentId}:%{&agentId}"
      field: "message"
      target_prefix: ""
Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

If i use this processor in pipeline it is working fine in kibana console. but my intention is to dissect it when shipping the data to elasticsearch using filebeat. Could you please let me know how to use this processor in filebeat.
Note : i am shipping the custom log data of java application from log files using ECS logging for java applications using filebeat
Ok, I thought you were using Logstash, please see my updated answer.
My filebeat.yml is auto generated in the sense i have configured everything in beats central management. In that case where can we add the processor?
You should know, though, that Beats Central Management will be discontinued for a better solution coming up in 7.8.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.