how do I grok array of jsons
eg:
[2017-05-29 02:17:18] INFO – [ActivityServiceRest:89] – [{“callId”:”kjwefkjweqkfb”},{“callId”:”nwekgwnkqgkqr”},{“callId”:”ohjiwnwbnwbrk”}]
I want to store all the callId's in a field called call_Id
where number of times callId appears is dynamic
Can someone please help.
Use a grok filter to extract the various pieces of the string into discrete fields. What's most important for your current question is that the JSON array is in a field of its own. Then have a json filter process that field, and finally you'll have to write a small piece of Ruby in a ruby filter to collect all the call id values into an array. This probably works:
ruby {
code => "event.set('call_Id', event.get('XXX').collect { |h| h['callId'] })"
}
Replace XXX with the name of the field containing the parsed JSON array.
Thanks a lot, it worked and I am able to get callId's in an array but it's giving me _dataparsefailure in the tags. Is it something related to Json field in the input log?
The Logstash log will contain details about the date filter's failure. You also need to post your Logstash configuration.
Yeah, there was an error in my logstash filter and I resolved it. Thanks for helping out
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.