Grep on input message with json format

vimalmpatel · December 2, 2015, 7:28pm

hello

my input message is in json format. if i want to use condition to create new tag within jason how would i do that . please correct me if i am wrong.

input file record

{"applicationID":"12348811","timestamp":"2015-11-12T21:15:25.092Z","approved":1,"rejected":0}

log stash configuration

input {
file {
path => "C:\xxx.log"
}
}

filter {
if [approved] =1
json {
add_field => {
"new_field" => "Application Accepted"
}
}
}

output {
elasticsearch {
host => "localhost"
protocol => "http"
index => "xxx-%{+YYYY.MM.dd}"
}
}

expected output in elastic

{"applicationID":"12348811","timestamp":"2015-11-12T21:15:25.092Z","approved":1,"rejected":0,"new_field":"Application Accepted}

vtst2412 · December 2, 2015, 7:47pm

Well, did you run that config? What was the output? I tend to use the json filter in this manner as I'm not sure if you can put an if condition inside of a filter.

input {
  file {
    path => "C:\xxx.log"
  }
}

filter {
  json {
    source => "message"
   }
  if [approved] == 1 {
      mutate {
         add_field => {
              "new_field" => "Application Accepted"
         }
      }
   }
# this is optional if you don't want to collect events that are not approved
# else {
#     drop {} 
# }
}

output {
    elasticsearch {
        host => "localhost"
        protocol => "http"
        index => "xxx-%{+YYYY.MM.dd}"
    }
}

vimalmpatel · December 2, 2015, 7:50pm

No it did not work in the first run. i will try it out with this one. Thanks

vimalmpatel · December 2, 2015, 7:56pm

One more thing i was referring https://www.elastic.co/guide/en/logstash/current/plugins-filters-json.html where you can add field. why do i need to use mutate ? i know you can do it using mutate but want to make i can use this also.

filter {
json {
add_field => { "foo_%{somefield}" => "Hello world, from %{host}" }
}
}

vtst2412 · December 2, 2015, 8:16pm

You can use add_field in the json filter as well. However, you only want to add_field if [approved] == 1, so we have to breakout of the json filter to do that. You can use the json filter instead of mutate inside of the conditional clause if that bothers you. (add_field is pretty standard among the filters)

vimalmpatel · December 2, 2015, 8:23pm

perfect Thanks

vimalmpatel · January 14, 2016, 9:01pm

i did exactly what you suggested but it is not adding extra field

filter {
json {
source => "message"
}
if [approved] == "0" {
mutate {
add_field => {
"ApproveIndicator" => "0"
}
}
}
else if [approved] == "1" {
mutate {
add_field => {
"ApproveIndicator" => "1"
}
}
}
else {
drop {}
}
}

vtst2412 · January 26, 2016, 3:24pm

Can you run this in debug for one document and provide the output?
Also you didn't put the integer in double quotations originally, why changed? I'm wondering if it's treating them as string and not matching the equality.