Flatten the json array into field in filter of logstash

5b0eafdfbfb313f6ed17 · June 13, 2018, 2:35pm

Now I have the filed below in Kibana.

{ "steps": [
      {
        "stepName": "****",
        "values": {
          "type": "**",
          "startTime": "**",
          "total": 0
        }
      },
      {
        "stepName": "**",
        "values": {
          "type": "***",
          "startTime": "**",
          "total": 1
        }
      },
      {
        "stepName": "**",
        "values": {
          "type": "**",
          "startTime": "**",
          "total": 0
        }
      }
    ]}

And i want to change the jsonarray format in kibana. I would like to split the array and show the array index in the field.

steps.0.stepName:"**"
steps.0.values.type:"**"
steps.0.values.startTime:"**"
step.0.values.total:"***"

step.1.stepName:"**"
steps.1.values.type:"**"
steps.1.values.startTime:"**"
step.1.values.total:"***"

I have trying to using split filter but no luck. Also I trying to use scripted field in Kibana, but it does not work. And now I have no idea how to achieve this. Can anyone help me about this?Thanks!

Badger · June 13, 2018, 4:43pm

Well mutate+split creates an array from a string, and a split filter creates multiple events from an array in the current event. Neither of which matches what you want to do.

I think you have to do it in ruby. Do not use . in a field name, it will come back to bite you later. This should get you started:

ruby {
    code => '
        a = event.get("steps")
        a.each_index { |i|
             event.set("steps-#{i}-total", a[i]["values"]["total"])
        }
    '
}

Seems like an odd thing to want to do though!

system · July 11, 2018, 4:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.