Create new records from old one

ddoroshenko · December 15, 2021, 2:08pm

Hello!

I have JSON at input

{
  "data:{
    "id":"123"
  },
  "message":[
    "event1",
    "event2",
    "event3"
  ],
  "source":"abc"
}

Is it possible to make three different events based on "event1", "event2" and "event3" like

{
  "data:{
    "id":"123"
  },
  "event1",
  "source":"abc"
}

and so on ?

Badger · December 15, 2021, 2:22pm

You can use a split filter to split the array into three different events. I am not sure what you mean by

"event1",

A hash entry needs a key and a value.

ddoroshenko · December 15, 2021, 2:56pm

@Badger

the input JSON is

{
  "data:{
    "id":"123"
  },
  "message":[
    "2021-12-15T19:50:00-0700 [INFO]: message1",
    "2021-12-15T19:51:00-0700 [INFO]: message2"
  ],
  "source":"abc"
}

So I want to get two events

{
  "data:{
    "id":"123"
  },
  "2021-12-15T19:50:00-0700 [INFO]: message1",
  "source":"abc"
}

and

{
  "data:{
    "id":"123"
  },
  "2021-12-15T19:51:00-0700 [INFO]: message2",
  "source":"abc"
}

Badger · December 15, 2021, 3:07pm

Neither of those would be valid JSON.

ddoroshenko · December 15, 2021, 3:14pm

@Badger when I parse it with json filter I get

"source" => "abc",
      "@version" => "1",
      "sequence" => 0,
          "host" => "localhost.localdomain",
       "message" => [
        [0] "2021-12-15T19:50:00-0700 [INFO]: message1",
        [1] "2021-12-15T19:51:00-0700 [INFO]: message2"
    ],
    "@timestamp" => 2021-12-15T14:48:06.259Z,
          "data" => {
        "id" => "123"
    }

Badger · December 15, 2021, 3:26pm

And if you use a split filter you can change that to two events that look like

      "host" => "localhost.localdomain",
   "message" => "2021-12-15T19:50:00-0700 [INFO]: message1",
"@timestamp" => 2021-12-15T14:48:06.259Z,
      "data" => {
    "id" => "123"
}

But you cannot convert them to be

      "host" => "localhost.localdomain",
   "2021-12-15T19:50:00-0700 [INFO]: message1",
"@timestamp" => 2021-12-15T14:48:06.259Z,
      "data" => {
    "id" => "123"
}

which is what you are asking for.

ddoroshenko · December 15, 2021, 3:32pm

@Badger this one is what I want

"host" => "localhost.localdomain",
   "message" => "2021-12-15T19:50:00-0700 [INFO]: message1",
"@timestamp" => 2021-12-15T14:48:06.259Z,
      "data" => {
    "id" => "123"
}

but when I use split filter after json filter

mutate {
    split => { "[message]" => "," }
  }

I get the error mutate - Can't split something that isn't a string

ddoroshenko · December 15, 2021, 3:42pm

I've used wrong filter
It should be

split {
    field  => "message"
  }

system · January 12, 2022, 3:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.