Contructing JSON array output from logstash

Hanciv · June 11, 2018, 6:31pm

Hi,
I am reading a log file where I have key value paired events. I extract the key value fields using KV filter and then construct a JSON manually like the below.

"[application][environment]" => "%{environment}"
"[application][applicationName]" => "%{applicationName}"
"[application][applicationModuleName]" => "%{applicationModuleName}"
"[application][auditStepName]" => "%{auditStepName}"
"[application][applicationModuleVersion]" => "%{applicationModuleVersion}"
.
.
.
"[DetailSection][elementDetail][rejectCode]" => "%{rejectCode}"
"[DetailSection][elementDetail][rejectReasonDescription]" => "%{rejectReasonDescription}"
"[DetailSection][elementDetail][severity]" => "%{severity}"

I have a requirement where in the elementDetail in the schema can only be an array and hence the JSON generated out of this is throwing schema error.
I tried using [DetailSection][elementDetail][0][rejectCode], "[DetailSection][elementDetail][0][rejectReasonDescription]", but they dont work the intended way.

Any help is greatly appreciated!!

Badger · June 11, 2018, 6:55pm

If you have a field called rejectCode, then you can create an array inside an object using

mutate { add_field => { "[DetailSection][elementDetail][0][rejectCode]" => "%{rejectCode}" } }

That will produce

              "DetailSection" => {
        "elementDetail" => {
            "0" => {
                "rejectCode" => "a"
            }
        }
    },

What issue do you have with that?

Hanciv · June 11, 2018, 7:14pm

I am getting the below JSON response rather than the expected respone as array:

"DetailsSection"{
"elementDetail": {
"0": {
"reject code":"a"
}
}
}

Exepected Response:

"DetailsSection"{
"elementDetail": [
{
"reject code":"a"
}
]
}

Badger · June 11, 2018, 7:46pm

Depending on whether you want the array to contain a single object or multiple objects...

    ruby {
        code => "
        a = []
        h = Hash.new
        event.to_hash.each { | k, v |
            if k == 'rejectCode' || k == 'rejectReasonDescription'
                # For an array where each entry contains a single object has use this instead
                #a << { k => v }
                h[k] = v
            end
        }
        a << h
        event.set( '[DetailSection][elementDetail]', a)
        "
    }

Hanciv · June 11, 2018, 7:55pm

That worked like a charm. Thank you so much

system · July 9, 2018, 8:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.