File: //usr/share/filebeat/module/logstash/log/ingest/pipeline-json.yml
description: Pipeline for parsing logstash logs
on_failure:
- set:
field: error.message
value: '{{ _ingest.on_failure_message }}'
processors:
- json:
field: message
target_field: logstash.log
- convert:
field: logstash.log.timeMillis
type: string
- date:
field: logstash.log.timeMillis
formats:
- UNIX_MS
target_field: '@timestamp'
- rename:
field: logstash.log.loggerName
target_field: logstash.log.module
- remove:
field:
- message
- logstash.log.timeMillis
- rename:
field: logstash.log.logEvent.message
target_field: message
- rename:
field: logstash.log.logEvent
target_field: logstash.log.log_event
- rename:
field: logstash.log.level
target_field: log.level
- script:
description: Convert logstash.log.log_event.action elements to string.
if: ctx?.logstash?.log?.log_event?.action instanceof List
lang: painless
source: |
def items = [];
ctx.logstash.log.log_event.action.forEach(v -> {
items.add(v.toString());
});
ctx.logstash.log.log_event.action = items;
- set:
field: event.kind
value: event
- script:
lang: painless
source: >-
def errorLevels = ["ERROR", "FATAL"];
if (ctx?.log?.level != null) {
if (errorLevels.contains(ctx.log.level)) {
ctx.event.type = "error";
} else {
ctx.event.type = "info";
}
}