Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Stack Monitoring] Kibana log showing field [json] doesn't exist in error.message field #34210

Closed
crespocarlos opened this issue Jan 9, 2023 · 2 comments · Fixed by #35268
Closed

[Stack Monitoring] Kibana log showing field [json] doesn't exist in error.message field #34210

crespocarlos opened this issue Jan 9, 2023 · 2 comments · Fixed by #35268
Assignees
@crespocarlos
Labels
bug Feature:Stack Monitoring Module:kibana Kibana Beats modules Team:Infra Monitoring UI - DEPRECATED Infrastructure Monitoring UI team - DEPRECATED - Use Team:Monitoring v8.7.0

Comments

@crespocarlos
Copy link
Contributor

Summary

A change was introduced to Kibana log ingest pipeline, to fix a problem in which the pipeline was not considering fields included in the module configuration.

After this change, if a user sets json.keys_under_root is true in the module configuration, it will make the pipeline fail.

 - module: kibana
    log:
      enabled: true
      var.paths:
        - PATH_TO/kibana-json*.log
      input:
        json.keys_under_root: true -> breaks it

Image

Details

This happens because:

  • If json.keys_under_root: true is present in the module configuration, it will move all attributes present in message to the object root
  • By the time filebeat tries to put all attributes from message into an object named json, message will already be empty
  • When filebeat makes the decision of which pipeline to run, json is empty. so it will default to pipeline-7 (causing ECS formatted logs to fail)

Side note: even with the error.message the error mentioned, Logs UI will look OK, because the log ingested is ECS formatted.

Image

Acceptance criteria

  • The pipeline should work, even with json.keys_under_root: true in the module configuration.
@crespocarlos crespocarlos added Feature:Stack Monitoring Team:Infra Monitoring UI - DEPRECATED Infrastructure Monitoring UI team - DEPRECATED - Use Team:Monitoring v8.4.0 v8.6.0 v8.5.0 v8.7.0 Module:kibana Kibana Beats modules bug labels Jan 9, 2023
@fludo
Copy link

fludo commented Mar 30, 2023

Do you have any progress regarding this issue ?
We are waiting for it on a case in elastic cloud: https://support.elastic.co/cases/5008X00002LWDXZQA5

Regards

@crespocarlos crespocarlos self-assigned this May 1, 2023
@crespocarlos crespocarlos mentioned this issue May 1, 2023
Merged
6 tasks
@crespocarlos
Copy link
Contributor Author

@fludo a PR has been opened to address this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@crespocarlos crespocarlos

Labels
bug Feature:Stack Monitoring Module:kibana Kibana Beats modules Team:Infra Monitoring UI - DEPRECATED Infrastructure Monitoring UI team - DEPRECATED - Use Team:Monitoring v8.7.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Filebeat] Fix conditions to decode_json_fields and which pipeline to run crespocarlos/beats
2 participants
@fludo @crespocarlos