Reputation: 705
How to remove the json. prefix on my elasticsearch field
I use ELK to get some info on my rabbitmq stuff. Here my conf logstash side
json {
source => "message"
}
But in kibana I have to prefix all my fields with json.xxx: json.sender, json.sender.raw,json.programld, json.programId.raw ...
How can I not have this json.-prefix in my field names, so that I only have to have: sender, programId, etc.?
Best regards and thanks for your help !
Bonus question : what are all these .'raw' I must use in kibana ?
Upvotes: 1
Views: 953
Answers (1)
Reputation: 16362
According to the doc:
By default it will place the parsed JSON in the root (top level) of the Logstash event, but this filter can be configured to place the JSON into any arbitrary event field, using the target configuration.
So it feels like your json is wrapped in a container named "json" or you're setting the "target" in logstash without showing us.
As for ".raw", the default elasticsearch mapping will analyze the data you put in a field, so changing "/var/log/messages" into three words: [var, log, messages]" which can make it hard to search. To keep you from having to worry about this at the beginning, logstash creates a ".raw" version of each string, which is not analyzed.
You'll eventually make your own mappings, and you can make the original field not_analyzed, so you won't need the .raw versions anymore.
Upvotes: 1
Related Questions
- Elastic search shows JSON data in the message field
- Kibana Logstash ElasticSearch | Unindexed fields cannot be searched
- How to parse a json from log
- Not able to remove all fields with a prefix in Logstash
- unable to parse timetstamp correctly on ELK 5.4
- how enable anonymous access in ElasticSearch 5.3
- Can I use Kibana to parse the message field
- Logstash issues in creating index remove .raw field in kibana
- ElasticSearch - mismatching field types in schema
- Is the @timestamp field needed when using Logstash to store in Elasticsearch?