Aggregate-filter to create nested arrays

I'm new to logstash and have been browsing the web for a couple of day for a solution for my problem to create an nested array for a company structure to load into elasticsearch. I want to create an array of companys with a nested array of departments and for each department also an array of groups/sections. I've been copying a lot of code-snippets from the web but I haven't been able to put everything together to get what i want ...

My original source is a MySQL database but I've been captured the JDBC output into a json file. I'll include the wanted output as json files and then the aggregate filter section of my conf-file

It will be much appreciated if someone had the time to help me on my way.

"name":"Millenium Inc",
"name":"Millenium Inc",
"name":"Millenium Inc",
"name":"Millenium Inc",
"name":"Millenium Inc",
"name":"Millenium Inc",
"departments_section_name":"Human Resources",
"name":"Millenium Inc",

    "name":"Nebulose Corp",

"name":"Millenium Inc",
"departments": [
"sections": [
"sections": []
"name":"Human Resources",
"name":"Nebulose Corp",

and the filter part from my logstash.conf
filter {
aggregate {
task_id => "%{company_id}"
code => "
map['company_id'] = event.get('company_id')
map['name'] = event.get('name')
map['director'] = event.get('director')
map['departments_list'] ||= []
map['departments'] ||= []
if (event.get('department_id') != nil)
if !( map['departments_list'].include? event.get('departments_id') )
map['departments_list'] << event.get('department_id')
if( event.get('departments_section_id') != nil)
map['departments'] << {
'id' => event.get('department_id'),
'name' => event.get('department_name'),
'manager' => event.get('department_manager'),
'sections' => [] << {
'id' => event.get('departments_section_id'),
'name' => event.get('departments_section_name'),
'manager' => event.get('departments_section_manager')
map['departments'] << {
'id' => event.get('department_id'),
'name' => event.get('department_name'),
'manager' => event.get('department_manager'),
'sections' => []
push_previous_map_as_event => true
timeout => 5
mutate {
remove_field => ["departments_list"]

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.