Convert JSON Object to string

patrick.wall · January 26, 2017, 9:22pm

Hi All,

I am struggling to grasp something here. My use case is this - i am using logstash and elasticsearch to log every request that comes through my API. Whenever my api processes a request, I log the headers, and the json body of the response along with some metadata ( clientip, url, etc.) and send it to logstash in json format.

What is happening is Elasticsearch is indexing each element of the json body into a field instead of indexing the body into one field. What I would like is to have one field in elasticsearch APILog.res.body that contains in the json represented as a string. Is there a way I can convert the APILog.res.body object into a string? I cannot seem to make it work with mutate - I have the following filters to no effect. Can anyone provide some guidance on how to achieve this?

mutate {
  convert => {"%{[APILog][res][body]}" => "string"}
}

mutate {
  replace => {"%{[APILog][res][body]}" => "[APILog][resp][body]"}
}

Example Log

"APILog": {
"res": {
"statusCode": 200,
"body": {
"MyAPiResponse": {
"Results": {
"Results": [
{
"Result1": "1E6C7B9670A60331994D005056BD0622",
"Result2": "160820",
"Result3": "ACTV"
}
]
}
}
}
},
"clientip": "10.0.0.0",
"header": "my header"
}

warkolm · January 26, 2017, 9:30pm

That's a mapping issue, you will want to use the keyword type on the field so it doesn't split it up

patrick.wall · January 26, 2017, 9:42pm

My good man, I am using a dynamic mapping right now. I actually just fixed this (five minutes after posting) by using the json_encode filter.

json_encode {
  source => "[APILog][res][body]"
}

This is know logging exactly how i want. I will check out the keyword type when I go to define my own mapping template. I had not heard of that, thank you

system · February 23, 2017, 9:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.