I have an event that has many fields. These fields need to be arrays with other fields. Here is an example of what I want:
"//ip//dst" : [ {
"type" : "ipv4",
"value" : "192.168.1.2",
"vis" : "U&FOUO"
} ],
I cannot seem to get Logstash to do this. It will only group the type, value, and vis fields in curly braces {} and not brackets [].
Perhaps I am missing something simple or is this not possible?
What does the input look like? What results are you currently getting? What does your configuration look like?
Thank you for the reply. The input is a CSV which I parse using the csv filter
csv { separator => ',' columns => ["src_dot", "dst_dot", ...] }
I am then renaming the inputs in a different format. For example dst_dot becomes //ip//dst as in the OP. And the value from the csv goes in the value field within the array that I want.
rename => { "dst_dot" => "[fields][//ip//dst][value]" }
I am then manually marking up the value with metadata such as type and vis
add_field => {"[fields][//ip//dst][type]" => "ipv4"} add_field => {"[fields][//ip//dst][vis]" => "U"}
All of this produces the following object:
fields: { "//ip//dst" : { "type" : "ipv4", "value" : "192.168.1.2", "vis" : "U" } ,
I need to have the brackets encasing the type, value, and vis fields as in the OP.
I hope that help explain what is happening.
I suspect you'll have to use a ruby filter to get exactly what you want.
Thank you. I will look into that.
In case anyone else is needing a solution for this problem. This is the ruby filter I used
ruby {
code => " event['fields'].each_key { |key| event['fields'][key] = [event['fields'][key]] } "
}This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.