Filter to add fiels of on nested JSON name value fields

DI_Ralph · March 28, 2022, 1:24pm

Hi,
In Logstash I'm trying to create new fields from Nested JSON where the value of "Name" is part of the field name and "Value" is the actual value of the new field.

For example I got part of an audit log here below.

data.DeviceProperties	
{
  "Name": "OS",
  "Value": "Windows 10"
},
{
  "Name": "BrowserType",
  "Value": "Firefox"
},
{
  "Name": "IsCompliantAndManaged",
  "Value": "False"
}

Now from this I wish to see 3 new fields being present in Kibana, namely:
data.DeviceProperties.OS: "Windows 10"
data.DeviceProperties.BrowserType: "FireFox"
data.DeviceProperties.IsCompliantAndManaged: False

I hope someone has an solution or suggestion how I can achieve this in Logstash.

Badger · March 28, 2022, 2:54pm

You could do something like this.

DI_Ralph · March 29, 2022, 7:37am

Thank you, it looks like it might be the thing I was looking for. I'll go try it and will let you know if it worked.

DI_Ralph · March 30, 2022, 9:18am

Hi, I'm getting an unexpected error I can't seem to resolve.

[2022-03-30T10:58:44,651][ERROR][logstash.codecs.json     ][beats-server][219d0691fbdb75c864a5b62548deb7f17646341a375b877ee0e35512e7ef3280] JSON parse error, original data now in message field {:error=>#<LogStash::Json::ParserError: Unexpected end-of-input within/between Object entries
 at [Source: (String)"{"CreationTime": "2021-11-08T10:10:14", "Id": "x", "Operation": "UserLoggedIn", "OrganizationId": "x", "RecordType": 15, "ResultStatus": "Success", "UserKey": "x", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "x", "ObjectId": "x", "UserId": "x", "AzureActiveDirectoryEventType": "[truncated 24 chars]; line: 1, column: 1049]>, :data=>"{\"CreationTime\": \"2021-11-08T10:10:14\", \"Id\": \"x\", \"Operation\": \"UserLoggedIn\", \"OrganizationId\": \"x\", \"RecordType\": 15, \"ResultStatus\": \"Success\", \"UserKey\": \"x\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"AzureActiveDirectory\", \"ClientIP\": \"x\", \"ObjectId\": \"x\", \"UserId\": \"x\", \"AzureActiveDirectoryEventType\": 1, \"ExtendedProperties\":"}

The full log it is trying to parse:

{"CreationTime": "2021-11-08T10:10:14", "Id": "x", "Operation": "UserLoggedIn", "OrganizationId": "x", "RecordType": 15, "ResultStatus": "Success", "UserKey": "x", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "x", "ObjectId": "x", "UserId": "x", "AzureActiveDirectoryEventType": 1, "ExtendedProperties":
[{"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Safari/605.1.15"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}], "ModifiedProperties": [], "Actor": [{"ID": "x", "Type": 0}, {"ID": "x", "Type": 5}], "ActorContextId": "x", "ActorIpAddress": "x", "InterSystemsId": "x", "IntraSystemId": "x", "SupportTicketId": "", "Target": [{"ID": "x", "Type": 0}], "TargetContextId": "x", "ApplicationId": "x", "DeviceProperties": [{"Name": "OS", "Value": "MacOs"}, {"Name": "BrowserType", "Value": "Safari"}, {"Name": "IsCompliantAndManaged", "Value": "False"}, {"Name": "SessionId", "Value": "x"}], "ErrorNumber": "0", "customerName": "x"}

The content of the logstash.conf as of now:

input {
  pipeline { address => "office365" }
}

filter {
   json {
     source => "DeviceProperties"
   }
       ruby {
        code => '
        props = event.get("DeviceProperties")
        if props
            props.each { |x|
                key = x["key"]
                event.set("DeviceProperties.#{key}", x["value"])
            }
            event.remove("DeviceProperties")
        end
    '
    }
}


output {
  elasticsearch {    
  }
}

And pipelines.yml

- pipeline.id: beats-server
  config.string:
    input {
      beats {
        port => 5046
        codec => "json"
      }
    }

    output {
      pipeline {
        send_to => "office365"
      }
    }


- pipeline.id: office365
  path.config: "/etc/logstash/conf.d/logstash.conf"

What I've tried this far is changing the input codec from "json" to "json_lines" and I've tried it without specifying the "json source" in the filter but unfortunaly to no prevail.

Hope you can see what I'm doing wrong here!

Badger · March 30, 2022, 6:26pm

That is two lines. You are going to need to combine them before using a json filter or codec. You will probably want to solve that upstream in the beat.

system · April 27, 2022, 6:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Add the field value to each new filed after json filter processing in Logstash Logstash	2	309	January 10, 2020
Parsing nested JSON fields to separate fields Logstash	3	599	October 23, 2020
Add Nested Field Value to a new field using Logstash Filter Logstash	7	2117	July 27, 2020
How to create fields from nested fields for json data in logstash Logstash	9	726	July 31, 2020
Nested JSON flattened in Logstash Filter Logstash	2	2782	September 13, 2021

Filter to add fiels of on nested JSON name value fields

Related topics