Hi everyone,
Good day! I am newbie to ELK.
currently i am working a return data of an API. upon checking my target body it has the return data from API call, However after processing these data using mutate and some if condition the data seems like it could not be ingested to an index. whenever I check my index its empty.
http {
verb => "POST"
url => "http://API URL"
user => "user"
password => "testpassword"
target_body => "testbody"
request_timeout => 300
headers => {
Accept => "application/json"
"X-Requested-With" => "X"
}
body_format => "json"
body => '{
"Id": "ID",
"Rfcdest": "",
"Mins": "",
"Parameter": [{
"Id": "ID",
"Fnam": "FNAMData",
"Fval": "ID",
"Extval": []
}, {
"Id": "ID",
"Fnam": "FNAMData",
"Fval": "ID",
"Extval": []
}, {
"Id": "ID",
"Fnam": "FNAMData",
"Fval": "%{[fields][record_type]}",
"Extval": [
%{payload}
]
}
],
"Return": [],
"Data": []
}'
}
mutate {
rename => {
"[testbody][d][Return][results]" => "returnData"
"[testbody][d][Parameter][results]" => "parameter"
}
}
if [returnData] and [returnData][0] {
if [fields][record_type] == "RETAIL" {
mutate {
add_field => {
"return_ship_date" => "%{[returnData][0][Message]}"
"return_number" => "%{[returnData][1][Message]}"
"return_delivery_number" => "%{[returnData][2][Message]}"
"return_ship_to" => "%{[returnData][3][Message]}"
"return_sampleNo" => "%{[returnData][4][Message]}"
"return_confirmation" => "%{[returnData][5][Message]}"
}
}
}
else {
mutate {
add_field => {
"return_ship_date" => "%{[returnData][0][Message]}"
"return_number" => "%{[returnData][1][Message]}"
"return_delivery_number" => "%{[returnData][2][Message]}"
"return_confirmation" => "%{[returnData][3][Message]}"
}
}
}
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "sampleIndex"
}
stdout {
codec => rubydebug
}
}