Extract specific fields from Json using Logstash

baselai · September 9, 2019, 4:58pm

I have this json file

{
  "type": "resource",
  "headers": {
    "destination_channel": "data"
  },
  "body": {
    "type":"resource",
    "resourceId":"estimatorB",
    "resourceType":null,
    "resourceValue":"data.csv",
    "resourceSettings":{
    },
    "resourceContext":{ 
    },
    "p_id":"123",
    "b_id":"block_789"
  }
}

and I need to take only three fields and push them to Elasticsearch, which they're:

resourceValue
p_id
b_id

here is the code I'm using

input {
  file {
    path => "/usr/share/input/test.json"
    start_position => beginning
    sincedb_path => "/dev/null"
   
  }
}

filter {
  json {
    source => "message"    
  }
  ruby {
    code => '
        arrayOfEvents = Array.new()
        ts = event.get("[body]")
        ts.each do |k,v|
          if k == "resourceValue"
            arrayOfEvents.push(data)
          elsif k == "pipelineId"
            arrayOfEvents.push(data)
          elsif k == "blockId"
            arrayOfEvents.push(data)
          end                        
        end
        arrayOfEvents.push(data)
        event.set("event",arrayOfEvents)        
    '
  }
  split { field => "event" }
}


output {
  stdout {}
}

but it throws an exception ruby split error !

Badger · September 9, 2019, 5:05pm

What are you using "data" to refer to in the ruby filter, and what are you trying to do with the .push immediately before the event.set?

baselai · September 9, 2019, 5:21pm

@Badger I thought about it this way:
I get the fields, or iterate through them -> read the targeted field value and then push it to a temp array -> return it.
to get this output:

{
 "resourceValue":"data.csv",
 "p_id":"123",
 "b_id":"block_789"
}

Badger · September 9, 2019, 5:50pm

data is nil, so the event array is nil, which is not splittable. If you change the first three occurrences of data to v, and change blockId to b_id, and change pipelineId to p_id, and delete the fourth push you will get three events

{
"event" => "123",
"@timestamp" => 2019-09-09T17:41:31.316Z
}
{
"event" => "data.csv",
"@timestamp" => 2019-09-09T17:41:31.316Z
}
{
"event" => "block_789",
"@timestamp" => 2019-09-09T17:41:31.316Z
}

which I do not think is what you want. I do not think you need to use ruby at all.

    mutate {
        add_field => {
            "resourceValue" => "%{[body][resourceValue]}"
            "p_id" => "%{[body][p_id]}"
            "b_id" => "%{[body][b_id]}"
        }
    }
    mutate { remove_field => [ "body", "headers", "message", "type" ] }

system · October 7, 2019, 5:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[JSON filter] Split Dynamic fields Logstash	4	1558	March 11, 2019
Logstash filter : Split plugin doesn't seems to work Logstash	9	5629	July 6, 2017
Split Filter Parse Failure - Only String and Array types are splittable Logstash	5	1204	March 12, 2020
Adding an array of events even if there is only one Elasticsearch	2	120	February 20, 2024
Extract fields from JSON Flie to Elastic using Logstash filters Logstash	6	669	June 29, 2021

Extract specific fields from Json using Logstash

Related Topics