Fields are not populating from logstash to elastic

mmercaldi · December 4, 2023, 7:59pm

I am using logstash to populate elastic
I have it set so this filter:

filter {
  json {
    source => "message"
    target => "jsoncontent"
    remove_field => ["message"]
    }
}

and

jsoncontent: {"switchname": "switch1", "interface": "Ethernet101/1/5", "vlan": "25", "speed": "a-1000", "duplex": "full"}```
type or paste code here

to populate elastic
However the only field I get is jsoncontent. I want fields created for switchname, interface, vlan, speed, duplex

Any idea how I can create those fields?

Badger · December 4, 2023, 8:42pm

The [jsoncontent] field is created by the json filter. There will be fields within like [jsoncontent][switchname]. If you want those at the top level then remove the target option from the json filter.

mmercaldi · December 4, 2023, 9:42pm

when I remove the top filter I get a json error in my output saying that a target is needed
Parsed JSON object/hash requires a target configuration option {:source=>"message",

Badger · December 4, 2023, 10:12pm

OK, so check this thread.

mmercaldi · December 5, 2023, 2:47pm

sorry I am confused, how does the ruby code help?

mmercaldi · December 5, 2023, 3:36pm

I see how it could help but my code is not working
did I do something wrong on it:

filter {
  json {
    source => "message"
    target => "jsoncontent"
    remove_field => ["message"]
    }
}

ruby {
  code => '
    event.get("jsoncontent").each { |k, v|
    event.set(k,v)}
    event.remove("jsoncontent")'
}

Badger · December 5, 2023, 5:09pm

What do you see if you use output { stdout { codec => rubydebug } } ?

mmercaldi · December 5, 2023, 7:00pm

For some reason with the ruby code the conf file will not launch, so I cannot get a stdout

Badger · December 5, 2023, 7:22pm

So remove the ruby filter and post the rubydebug.

mmercaldi · December 5, 2023, 9:19pm

sorry for the delay:

          "event" => {
        "original" => "\"{\\\"switchname\\\": \\\"switch1\\\", \\\"interface\\\": \\\"Ethernet101/1/2\\\", \\\"vlan\\\": \\\"254\\\", \\\"speed\\\": \\\"a-1000\\\", \\\"duplex\\\": \\\"full\\\"}\""
    },
    "jsoncontent" => "{\"switchname\": \"switch1\", \"interface\": \"Ethernet101/1/2\", \"vlan\": \"254\", \"speed\": \"a-1000\", \"duplex\": \"full\"}",
       "@version" => "1",
     "@timestamp" => 2023-12-05T21:17:44.717761918Z,
           "host" => {
        "ip" => "5.5.5.5"
    }
}

Badger · December 5, 2023, 10:44pm

OK, you will need to use a second json filter to parse [jsoncontent].

Topic		Replies	Views
JSON Logstash Logstash	1	229	April 21, 2023
How to convert the Logstash message to fileds Logstash	16	615	August 8, 2023
Problem with Ruby Filter Logstash	7	987	June 4, 2020
Accessing field of JSON Input Logstash	3	9133	July 6, 2017
Parse json message Logstash	2	1207	July 17, 2018

Fields are not populating from logstash to elastic

Related topics