Filtering json fields to be outputted by logstash

aszac · July 7, 2017, 11:05am

Hello!

I am using logstash 5.4 to read a json interaction from kafka and then filter it so that:

interaction will be dropped unless field car.name exist
only fields car.name and car.model are outputted

My config looks like this:

input {
kafka {
topics => members
bootstrap_servers => "***"
codec => "json"
group_id => "members"
}
}
filter {
if ![car][name] {
drop { }
}
prune {
whitelist_names => [
"[car][name]",
"[car][model]"
]
}
}
output {
stdout {
codec => "json"
}
}

Input and output example:
{"name":"John","surname":"Smith","age":30,"car":{"name":"BMW","model":"320","speed":123},"job":{"company":"Tesco","title":"manager"}}
{"@timestamp":"2017-07-07T11:00:57.986Z","car":{"name":"BMW","model":"320","speed":123},"surname":"Smith","name":"John"}

How do I make the config correct, so that only the whitelisted fields are being outputted?

magnusbaeck · July 10, 2017, 10:52am

Unfortunately the prune filter doesn't support subfields. For now you'll have to use a ruby filter to prune the subfields of the car field.

aszac · July 12, 2017, 1:38pm

I have got around that problem by first using the mutate -> add_field plugin to flatten the json and then used the prune filter on the new flattened field.

e.g.
mutate {
add_field => {
"car.name" => "%{[car][name]}"
"car.model" => "%{[car][model]}"
}
}
prune {
whitelist_names => [
"car.name",
"car.model",
]
}

system · August 9, 2017, 1:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.