Extract multiple field/value pairs from single value in JSON string

Adi_Buta · January 31, 2020, 12:25pm

Hello,
I'm trying to extract some field/value pairs from a single field in a json string. My sample message:
{
...
"comment":"Ticket number : INC:I16393898, status : Work In Progress, group : Ent.Support.SOC.",
...
}

From the value of the "comment" field I would like to extract three separate field/value pairs:
"Ticket number":"INC:I16393898"
"status":"Work In Progress"
"group":"Ent.Support.SOC."

What I tried and miserably failed:
filter {
mutate {
add_field => { "cmt_ticket_no" => "%{[comment][Ticket number]}" }
add_field => { "cmt_status" => "%{[comment][status]}" }
add_field => { "cmt_group" => "%{[comment][group]}" }
}}
Is there a solution for what I try to achieve? Any suggestion is highly appreciated. Thanks.

ITIC · January 31, 2020, 1:28pm

Hi

Take a look at the kv{} filter here.

I think you can easily extract what you need using source and field_split or field_split_pattern in the kv{}filter.

Hope this helps.

Adi_Buta · January 31, 2020, 3:11pm

It did work indeed, many thanks

system · February 28, 2020, 3:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Json field parsing , multi value field Logstash	11	2113	October 11, 2017
Logstash : Extract values from a String field in Json Logstash	4	996	September 26, 2019
Split field into multiple fields Logstash	4	1160	October 15, 2021
Single key (field) with multiple values to multiple key (fields) with single fields convertion Logstash	3	642	November 14, 2019
Extract strings from one field Logstash	3	3812	July 6, 2017

Extract multiple field/value pairs from single value in JSON string

Related Topics