IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« JSON content discovery Example »
Elastic Docs Observability Guide [8.1] Send data to Elasticsearch Elastic Serverless Forwarder for AWS Configuration options for Elastic Serverless Forwarder JSON content discovery

Expanding events from JSON object lists

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.
Expanding events from JSON object lists
edit

You can extract a list of events to be ingested from a specific field in the JSON file.

inputs:
  - type: "s3-sqs"
    id: "arn:aws:sqs:%REGION%:%ACCOUNT%:%QUEUENAME%"
    expand_event_list_from_field: "Records"
    outputs:
      - type: "elasticsearch"
        args:
          elasticsearch_url: "arn:aws:secretsmanager:eu-central-1:123456789:secret:es_url"
          username: "arn:aws:secretsmanager:eu-west-1:123456789:secret:es_secrets:username"
          password: "arn:aws:secretsmanager:eu-west-1:123456789:secret:es_secrets:password"
          es_datastream_name: "logs-generic-default"

You can define inputs.[].expand_event_list_from_field as a string with the value of a key in the JSON that contains a list of elements that must be sent as events instead of the encompassing JSON.

When routing service logs, any value set for the expand_event_list_from_field configuration parameter will be ignored, because this will be automatically handled by the Elastic Serverless Forwarder.

« JSON content discovery Example »