Extracting key pair Values using nested Json Paths

vaseemQA · January 26, 2022, 5:45am

Hi Guys,

I'm Using Json plugin in filter and trying to fetch a value which resides in below json path.

parsedJson.query.bool.filter[0].bool.must[0].bool.must[2].term["list_attributes.orderId.long"].value

and actually complete json looks like below.

{
  "_source": false,
  "from": 0,
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "must": [
              {
                "bool": {
                  "must": [
                    {
                      "bool": {
                        "must_not": [
                          {
                            "terms": {
                              "list_attributes.id.long": [
                                123456
                              ],
                              "boost": 1
                            }
                          }
                        ],
                        "adjust_pure_negative": true,
                        "boost": 1
                      }
                    },
                    {
                      "term": {
                        "list_attributes.xxxx.long": {
                          "value": 123456,
                          "boost": 1
                        }
                      }
                    },
                    {
                      "term": {
                        "list_attributes.orderId.long": {
                          "value": 12345,
                          "boost": 1
                        }
                      }
                    }
                  ],
                  "adjust_pure_negative": true,
                  "boost": 1
                }
              },
              {
                "term": {
                  "active": {
                    "value": true,
                    "boost": 1
                  }
                }
              },
              {
                "term": {
                  "deleted": {
                    "value": false,
                    "boost": 1
                  }
                }
              }
            ],
            "adjust_pure_negative": true,
            "boost": 1
          }
        }
      ],
      "adjust_pure_negative": true,
      "boost": 1
    }
  },
  "size": 24,
  "sort": [
    {
      "attributes.startdate": {
        "order": "desc",
        "missing": "_last",
        "unmapped_type": "long"
      }
    }
  ],
  "version": true
}

And, So In Filter plugin I've used below json path to get the value of orderId, but Its not extracting the value, can anyone help me in escaping double Quotes ? or How can we extract such values using json paths?

mutate{
 add_field => {"orderId" => "%{[parsedJson][query][bool][filter][0][bool][must][0][bool][must][2][term]["list_attributes.orderId.long"][value]}"}
}

mutate{
 add_field => {"orderId" => "%{[parsedJson][query][bool][filter][0][bool][must][0][bool][must][2][term][\"list_attributes.orderId.long\"][value]}"}
}

Thanks,
Vaseem

Tomo_M · January 26, 2022, 8:55am

Have you tried path without quotes like %{[parsedJson][query][bool][filter][0][bool][must][0][bool][must][2][term][indexed_attributes.orderId.long][value]}?

vaseemQA · January 26, 2022, 8:59am

Yes I tried this, It doesn't worked

Tomo_M · January 26, 2022, 12:33pm

Hmm, it's strange.
It worked completely fine for me.

input {
 file {
   mode => "read"
   path => ["C:/test_json_path.json"]
   start_position => "beginning"
   exit_after_read => true
   file_completed_action => "log"
   file_completed_log_path => "C:/test.log"
   codec => multiline {
        pattern => "^{"
        negate => "true"
        what => "previous"
    }
 }
}
filter {
    json{
        source => "message"
        target => "doc"
        remove_field => "message"
    }
}
filter {
 mutate{
  add_field => {"orderID" => "%{[doc][query][bool][filter][0][bool][must][0][bool][must][2][term][list_attributes.orderId.long][value]}"}
  remove_field => "doc"
 }
}
output {
   stdout { codec => rubydebug }
}

{
    "@timestamp" => 2022-01-26T12:32:30.140Z,
          "path" => "C:/test_json_path.json",
          "tags" => [
        [0] "multiline"
    ],
       "orderID" => "12345",
      "@version" => "1",
          "host" => "DESKTOP-RGB3EPD"
}

vaseemQA · January 26, 2022, 1:35pm

Hey @Tomo_M ,

Sorry Yes It worked, I had some typo error.

Thanks,

system · February 23, 2022, 1:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.