Add Nested Field Value to a new field using Logstash Filter

Kevin_f · June 29, 2020, 3:56pm

Hello All,

I hope someone here could help me as I have been stuck for days on this issue I am facing. I have got the kibana output as shown below:

I am trying to add the nested field value of "key" into a new field called key. This is what I am trying to do using logstash filter:

filter {
   mutate {
       add_field => {
          "key"   => "%{[properties][additionalDetails][key]}"
      }
   }
}

However the below is giving me the output:

Any ideas, where I am going wrong with this one? Any help would be much appreciated. Thanks.

Badger · June 29, 2020, 6:11pm

It is inconceivable to me that

add_field => { "key"   => "%{[properties][additionalDetails][key]}" }

would result in key being set to

"%{[properties.additionalDetails][key]}"

logstash is not going to replace the ][ with .

Most likely that mutate will work as is.

Kevin_f · June 29, 2020, 6:26pm

Hi Badger,

Thank you for coming back to me. Much appreciated

Sorry for the confusion. The last screenshot is incorrect. The actual output in Kibana is showing:

key             "%{[properties][additionalDetails][key]}"

instead of:

key              User-Agent

I have edited my original post with the correct screenshot (error)

Badger · June 29, 2020, 6:40pm

Can you run logstash with

output { stdout { codec => rubydebug } }

and show us that the [properties] field looks like?

Kevin_f · June 29, 2020, 6:53pm

Hi Badger,

Seems like I am not getting any console output with the debugging.

I have even done:

output {
  stdout {
      path => /var/log/logstash/tmp/ruby_output
      codec => rubydebug
 }
}

Still nothing in the file and looking in the logstash-plain.log, nothing related to stdout is in there. The last log just states "successfully started logstash API endpoint"

Even ran logstash as:
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/output.conf

and no joy with stdout

i can show you the json output of what kibana is showing me instead if that helps?

Badger · June 29, 2020, 8:03pm

The stdout output does not have a path output. Use a file output if you want to specify a path.

The JSON from kibana does tell me enough. Note that additionalDetails is an array. Try

add_field => { "key"   => "%{[properties][additionalDetails][0][key]}" }

Kevin_f · June 29, 2020, 8:26pm

Hi Badger,

Ahhh perfect. That worked! Thank you.

I should have tried that before but instead I put it as:

add_field => { "key"   => "%{[properties][additionalDetails][key][0]}" }

system · July 27, 2020, 8:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Put value of nested field into new field Logstash	11	5146	April 17, 2018
Filter to add fiels of on nested JSON name value fields Logstash	5	602	April 27, 2022
Add Nested Field Array Value based on Array String Logstash	16	3113	July 29, 2020
Access nested fields in mutate filter Logstash	5	22895	July 6, 2017
Error creating new field with the valu of a nested field Logstash	4	241	May 3, 2022

Add Nested Field Value to a new field using Logstash Filter

Related topics