[ AWS Cloudwatch ] aws field is not a json object.

[leandrojmp]

Hello,

Recently I started to use the AWS Cloudwatch integration and saw that the aws-cloudwatch input from filebeat adds the following fields:

• awscloudwatch.ingestion_time
• awscloudwatch.log_group
• awscloudwatch.log_stream

And also the following fields.

• aws.cloudwatch.ingestion_time
• aws.cloudwatch.log_group
• aws.cloudwatch.log_stream

At first I thought it was duplicating the fields and opened this issue where it was explained the the awscloudwatch.* fields are deprecated.

From the name of the new fields, for example aws.cloudwatch.log_group I would expect to see the following json object in my documents:

{ 
    "aws": { 
        "cloudwatch": { 
            "log_group": "log-group-name"
        }
    }
}

But looking at the document this is what I have:

{ 
    "aws.cloudwatch": { 
        "log_group": "log-group-name"
    }
}

Which matches the change that was made in the filebeat code

            "aws.cloudwatch": mapstr.M{
                "log_group":      logGroup,
                "log_stream":     *logEvent.LogStreamName,
                "ingestion_time": time.Unix(*logEvent.IngestionTime/1000, 0),
            },

The aws field should be a json object, having a field named aws.cloudwatch where the dot is part of the name of the field can lead to confusion and frustration while try to use ingest pipelines or other code to access the field.

[botelastic[bot]]

Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

[leandrojmp]

:+1: