Extracting key pair Values using nested Json Paths

vaseemQA · January 26, 2022, 5:45am

Hi Guys,

I'm Using Json plugin in filter and trying to fetch a value which resides in below json path.

parsedJson.query.bool.filter[0].bool.must[0].bool.must[2].term["list_attributes.orderId.long"].value

and actually complete json looks like below.

{
  "_source": false,
  "from": 0,
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "must": [
              {
                "bool": {
                  "must": [
                    {
                      "bool": {
                        "must_not": [
                          {
                            "terms": {
                              "list_attributes.id.long": [
                                123456
                              ],
                              "boost": 1
                            }
                          }
                        ],
                        "adjust_pure_negative": true,
                        "boost": 1
                      }
                    },
                    {
                      "term": {
                        "list_attributes.xxxx.long": {
                          "value": 123456,
                          "boost": 1
                        }
                      }
                    },
                    {
                      "term": {
                        "list_attributes.orderId.long": {
                          "value": 12345,
                          "boost": 1
                        }
                      }
                    }
                  ],
                  "adjust_pure_negative": true,
                  "boost": 1
                }
              },
              {
                "term": {
                  "active": {
                    "value": true,
                    "boost": 1
                  }
                }
              },
              {
                "term": {
                  "deleted": {
                    "value": false,
                    "boost": 1
                  }
                }
              }
            ],
            "adjust_pure_negative": true,
            "boost": 1
          }
        }
      ],
      "adjust_pure_negative": true,
      "boost": 1
    }
  },
  "size": 24,
  "sort": [
    {
      "attributes.startdate": {
        "order": "desc",
        "missing": "_last",
        "unmapped_type": "long"
      }
    }
  ],
  "version": true
}

And, So In Filter plugin I've used below json path to get the value of orderId, but Its not extracting the value, can anyone help me in escaping double Quotes ? or How can we extract such values using json paths?

mutate{
 add_field => {"orderId" => "%{[parsedJson][query][bool][filter][0][bool][must][0][bool][must][2][term]["list_attributes.orderId.long"][value]}"}
}

mutate{
 add_field => {"orderId" => "%{[parsedJson][query][bool][filter][0][bool][must][0][bool][must][2][term][\"list_attributes.orderId.long\"][value]}"}
}

Thanks,
Vaseem

Tomo_M · January 26, 2022, 8:55am

Have you tried path without quotes like %{[parsedJson][query][bool][filter][0][bool][must][0][bool][must][2][term][indexed_attributes.orderId.long][value]}?

vaseemQA · January 26, 2022, 8:59am

Yes I tried this, It doesn't worked

Tomo_M · January 26, 2022, 12:33pm

Hmm, it's strange.
It worked completely fine for me.

input {
 file {
   mode => "read"
   path => ["C:/test_json_path.json"]
   start_position => "beginning"
   exit_after_read => true
   file_completed_action => "log"
   file_completed_log_path => "C:/test.log"
   codec => multiline {
        pattern => "^{"
        negate => "true"
        what => "previous"
    }
 }
}
filter {
    json{
        source => "message"
        target => "doc"
        remove_field => "message"
    }
}
filter {
 mutate{
  add_field => {"orderID" => "%{[doc][query][bool][filter][0][bool][must][0][bool][must][2][term][list_attributes.orderId.long][value]}"}
  remove_field => "doc"
 }
}
output {
   stdout { codec => rubydebug }
}

{
    "@timestamp" => 2022-01-26T12:32:30.140Z,
          "path" => "C:/test_json_path.json",
          "tags" => [
        [0] "multiline"
    ],
       "orderID" => "12345",
      "@version" => "1",
          "host" => "DESKTOP-RGB3EPD"
}

vaseemQA · January 26, 2022, 1:35pm

Hey @Tomo_M ,

Sorry Yes It worked, I had some typo error.

Thanks,

system · February 23, 2022, 1:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Which filter(s) to extract array of JSON values, then use array to look up nested JSON objects? Logstash	12	359	November 7, 2023
Nested json as a string field Logstash	3	1643	February 13, 2019
Jsons and logstash Logstash	5	497	July 15, 2017
JsonPath in Logstash plugin Logstash	1	380	April 9, 2019
Logstash cannot extract json key Logstash	4	426	February 11, 2019

Extracting key pair Values using nested Json Paths

Related topics