Hi
I am using filebeat to push the logs directly into Opensearch.
There is a need to massage the data before ingesting to opesearch for analytical purpose.
So i am trying with dissect processor on the field ‘message’ and the result is as expected.
My Config is
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- dissect:
when:
contains:
message: “Status”
tokenizer: “%{loglevel} [%{comp}] %{mkt} status=%{status}”
field: “message”
target_prefix: “”
When i do the dissect, will the original message will be lost/hampered.
Is it good to copy the message into another field and then do the massaging.
Appreciate inputs on this.
Thanks
H