Best Way to create nested field

Elastic Stack Logstash
1

I successfully parsed out some fields, and am trying to aggregate some of them into one fields. Anyone suggestions on how to to that would be really appreciated. I haven't found a way to do so, but I assume this must be supported as nested JSON are commonly handled by elasticsearch. Thanks

for example:

status:***
action:###
object:###
path:***

into

status:***
operation{
action:###
object:###
}
path:***

Thanks!

2

Take a look at the syntax for nested fields. Then look at using mutate to rename the fields, for example:

filter {
  mutate {
    rename => { "action" => "[operation][action]" }
    rename => { "object" => "[operation][object]" }
  }
}
1 Like
3

Is it possible to do the same thing with the all body message?
(without to to it for all single fields)
Example:

"something1":"11111",
"something2":"22222",
"something3":"33333"

transform it in:

event{
payload{
"something1":"11111",
"something2":"22222",
"something3":"33333"
}
}

4

Yes, but the stock filters don't have the kind of wildcard functionality that you'd need for that. You'll have to write a small snippet of Ruby and put it in a ruby filter.

5

i'm very new on ruby and logstash and i'm studying about it.
Any suggestions?

thank you

6

Thank you, this is confirmed to work !

7

Daniele, I would start with watching the webinar and the "Get Started" section on the documentaiton page, it's what got me started! And If you run into questions, try googling first, I found more than half my answers from google around logstash, and you can always come back here if you don't find them on Google. I'm no expert like Magnus, but you can message me, and I'll do what I can to help. Good luck!

8

Thank You so much for your advices.
I wrote my previous question just because i didn't find nothing on the net.

9

Hi
We have the Same Problem, have you a solution with the Ruby Code?
Thank you very much
Juergen

1 Like
10

solved in: