All right so I managed to figure it out with Ruby, but was hoping Logstash would do more of it out of the box. For anyone else who tries to do the same thing, here's my configuration:
input {
file {
codec => multiline {
pattern => "\]"
negate => true
what => next
}
path => "path/to/json"
start_position => "beginning"
sincedb_path => "dev/null"
}
}
filter {
ruby {
init => "require 'json'"
code => "real_arr = JSON.parse(event.get('message'))
event.set('split', real_arr)
"
}
split {
field => "split"
}
ruby {
code => "split = event.get('split')
split.each do |k, val|
event.set(k, val)
end
"
}
}