Create split series / aggregation based on json message

gandhz · June 30, 2021, 3:33am

Hi,

I have service logs which contains json message like example below:

{
    "caller_method_name": "transferConfirmation",
    "caller_line_number": 328,
    "message": "Transfer via virtual : {"transferRef":"22151","amountTransfer":"10000","transferFee":"0","totalTransfer":"10000","responseCode":"31"}"
    "user_agent": "HttpComponents"
}

I wanted to do count aggregation based on response code. Is it possible to do it? We cannot list down the response code and filter one by one since we have so many response code start from 00 till xxx number of response code.

Thanks

Iker · June 30, 2021, 4:25am

Hi Gandhi, as I see, is completly doable, you have to use a JSON Processor, probably twice with the option "add to root" if you like; once you have the data in a nice looking format you should be able to make all the aggregations:

{
	"caller_method_name": "transferConfirmation",
	"caller_line_number": 328,
	"message": {
		"type": "Transfer via virtual",
		"transferRef": "22151",
		"amountTransfer": "10000",
		"transferFee": "0",
		"totalTransfer": "10000",
		"responseCode": "31"
	},
	"user_agent": "HttpComponents"
}

gandhz · June 30, 2021, 9:39am

Hi Iker,

Thanks for info. Actually I'm still new in ELK stack, do you have any sample to use or implement JSON Processor?

Thanks

Iker · June 30, 2021, 4:40pm

It is not that hard, you could create a new Ingest Pipeline even from the Kibana UI, then, when you are indexing the documents, specify the pipeline id to use. Take a look at the documentation and you will be up and running in no time:

system · July 28, 2021, 4:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.