Extract multiple field/value pairs from single value in JSON string

Elastic Stack Logstash
1

Hello,
I'm trying to extract some field/value pairs from a single field in a json string. My sample message:
{
...
"comment":"Ticket number : INC:I16393898, status : Work In Progress, group : Ent.Support.SOC.",
...
}

From the value of the "comment" field I would like to extract three separate field/value pairs:
"Ticket number":"INC:I16393898"
"status":"Work In Progress"
"group":"Ent.Support.SOC."

What I tried and miserably failed:
filter {
mutate {
add_field => { "cmt_ticket_no" => "%{[comment][Ticket number]}" }
add_field => { "cmt_status" => "%{[comment][status]}" }
add_field => { "cmt_group" => "%{[comment][group]}" }
}}
Is there a solution for what I try to achieve? Any suggestion is highly appreciated. Thanks.

2

Hi

Take a look at the kv{} filter here.

I think you can easily extract what you need using source and field_split or field_split_pattern in the kv{}filter.

Hope this helps.

3

It did work indeed, many thanks

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.