I am using logstash to populate elastic
filter {
json {
source => "message"
target => "jsoncontent"
remove_field => ["message"]
}
}
and
jsoncontent: {"switchname": "switch1", "interface": "Ethernet101/1/5", "vlan": "25", "speed": "a-1000", "duplex": "full"}```
type or paste code here
to populate elastic
Any idea how I can create those fields?
Badger
December 4, 2023, 8:42pm
2
The [jsoncontent] field is created by the json filter. There will be fields within like [jsoncontent][switchname]. If you want those at the top level then remove the target option from the json filter.
when I remove the top filter I get a json error in my output saying that a target is needed
Badger
December 4, 2023, 10:12pm
4
OK, so check this thread.
sorry I am confused, how does the ruby code help?
I see how it could help but my code is not working
filter {
json {
source => "message"
target => "jsoncontent"
remove_field => ["message"]
}
}
ruby {
code => '
event.get("jsoncontent").each { |k, v|
event.set(k,v)}
event.remove("jsoncontent")'
}
Badger
December 5, 2023, 5:09pm
7
What do you see if you use output { stdout { codec => rubydebug } } ?
For some reason with the ruby code the conf file will not launch, so I cannot get a stdout
Badger
December 5, 2023, 7:22pm
9
So remove the ruby filter and post the rubydebug.
sorry for the delay:
"event" => {
"original" => "\"{\\\"switchname\\\": \\\"switch1\\\", \\\"interface\\\": \\\"Ethernet101/1/2\\\", \\\"vlan\\\": \\\"254\\\", \\\"speed\\\": \\\"a-1000\\\", \\\"duplex\\\": \\\"full\\\"}\""
},
"jsoncontent" => "{\"switchname\": \"switch1\", \"interface\": \"Ethernet101/1/2\", \"vlan\": \"254\", \"speed\": \"a-1000\", \"duplex\": \"full\"}",
"@version" => "1",
"@timestamp" => 2023-12-05T21:17:44.717761918Z,
"host" => {
"ip" => "5.5.5.5"
}
}
Badger
December 5, 2023, 10:44pm
11
OK, you will need to use a second json filter to parse [jsoncontent].
system
January 2, 2024, 10:44pm
12
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.