Dealing with logstash conf file for json string array

I am trying to move the following json in a text file to elasticsearch using logstash.

{"vehicles":{"brand":"honda", "type":["suv","sedan","convertible"]}} .

The logstash processs runs fine and inserts this record to elasticsearch. The problem i am having in elasticsearch is that the type value is converted to a string as displayed below
"type": "suv,sedan,convertible"

How do i get type to be "type":["suv","sedan","convertible"]

I have the following in my logstash filter

filter
{
json {
source => "message"
target => "message"
}
mutate {
add_field => {
"brand" => "%{[message][vehicles][brand]}"
"type" => "%{[message][vehicles][type]}"
}
remove_field => ["message"]
}

}

Appreciate your help. Thanks!

What are you trying to do with this? If type is an array, that will overwrite type with the array converted to a string, which is exactly what you are complaining about.

If you have target set to message in your json filter the type field will be [message][vehicles][type]. If you want that at the top level use

mutate {
    rename => { "[message][vehicles][type]" => "type" }
}

Hi Badger, Thanks for your response.

My current filter settings are

filter
{
json {
source => "message"
target => "message"
}
mutate {
add_field => {
"brand" => "%{[message][vehicles][brand]}"
"type" => "%{[message][vehicles][type]}"
}
remove_field => ["message"]
}

}

In elastic search i want the type data to be "type":["suv","sedan","convertible"] .
At present i am seeing "type": "suv,sedan,convertible"

How do I achieve this ?
Thanks

Use mutate+rename, which I gave a sample of in my previous port.

I see how this is working now. I am all set. Appreciate your help.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.