Best way to split json input to multiple events for elasticsearch

Skippy · September 14, 2016, 6:34pm

First of all, my apologies. I am new to ELK and I can find most of my way around with googling what I need. I absolutely love ELK so far, but I could not find any answers to a very simple question (Which leads me to believe I might not have the right question.

I have json input that looks something like this:
{
"value": {
"USQueue": {
"QueueSize": 0,
"Name": "USQueue"
},
"IndiaQueue": {
"QueueSize": 0,
"Name": "IndiaQueue"
}
}
}

Right now, I see my fields in elasticsearch get created as a single event with the following:
value.USQueue.QueueSize = 0
value.USQueue.Name = USQueue
value.IndiaQueue.QueueSize=0
value.IndiaQueue.Name=IndiaQueue

What I want to do is split this into two events.
{
"QueueSize": 0,
"Name": "USQueue"
}
and
{
"QueueSize": 0,
"Name": "IndiaQueue"
}

Where I can use Kibana to easily create a bar chart of all queuesizes and split the bars with Name field.

How would I go about this? I played with split, but that did not work as it is a hash, not an array.

I am very sorry for my terminology, as I am still new, but hopefully the gist is understood. Thank you very much for your time!

magnusbaeck · September 15, 2016, 6:11pm

I think you have to use a ruby filter that converts the hash into an array. Something like

ruby {
  code => "
    event['arrayvalue'] = []
    event['value'].each_pair { |k, v|
      event['arrayvalue'] << { 'Name' => k, 'QueueSize' => v['QueueSize'] }
    }
  "
}

might work. Then you can use the split filter on the resulting event.

Skippy · September 16, 2016, 7:33pm

Thank you so much Magnus. I did a variation of what you had to my environment (My example was not really accurate) and it worked like a charm! Thank you!