How can I add Json-Data to historic index

Steven_Tschache · January 4, 2023, 11:41am

We currently are importing data using Logstash. One of the fields ("request") is a JSON stored as a string. We now require a section of this stored JSON as fields in the searchable index. I have updated Logstash filter using

filter {
    json {
        source => "request"
        target => "[@metadata][request_json]"
    }
    if [@metadata][request_json][merchant] {
        # in the Request, pull out the Merchant-ID
        mutate {
            add_field => {
                "merchant_id" => "%{[@metadata][request_json][merchant][id]}"
                "merchant_name" => "%{[@metadata][request_json][merchant][name]}"
            }
        }
    }
}

Which works great for new data.

How can I update the indices for the historic data? I'm using Elasticsearch, Logstash and Kibana 8.5.3

Christian_Dahlqvist · January 4, 2023, 12:57pm

You may be able to run an update by query with an ingest pipeline containing a JSON processor.

Steven_Tschache · January 5, 2023, 1:47pm

Thx for the advice. So, I'm looking at this, but struggling how to implement the "painless" script for this, since painless has limited support for JSON. I've started off OK with

[
  {
    "json": {
      "field": "request",
      "target_field": "request_json"
    }
  },
  "script": {
    "inline": "def now_what;",
    "lang": "painless"
  },
  {
    "remove": {
      "field": "request_json"
    }
  }
]

But the bit in the middle is where I'm struggling. Never did "painless" and not much help out there in Google.

Christian_Dahlqvist · January 5, 2023, 1:52pm

Why not use a number of set processors instead of painless?

Steven_Tschache · January 5, 2023, 2:39pm

Because YOU are magic! LOL, thank you so so much!

[
  {
    "json": {
      "field": "request",
      "target_field": "request_json"
    }
  },
  {
    "set": {
      "field": "merchant_name",
      "copy_from": "request_json.merchant.name",
      "ignore_empty_value": true
    }
  },
  {
    "set": {
      "field": "merchant_name",
      "copy_from": "request_json.data.application.merchant.name",
      "override": false,
      "ignore_empty_value": true
    }
  },
  {
    "set": {
      "field": "merchant_id",
      "copy_from": "request_json.merchant.id",
      "ignore_empty_value": true
    }
  },
  {
    "set": {
      "field": "merchant_id",
      "copy_from": "request_json.data.application.merchant.id",
      "override": false,
      "ignore_empty_value": true
    }
  },
  {
    "remove": {
      "field": "request_json"
    }
  }
]

system · February 2, 2023, 2:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Painless scripting JSON functions Elasticsearch	6	13325	September 28, 2017
Blindly parse JSON from logs and add it to elasticsearch Logstash	7	2071	May 25, 2018
JSON parsing question - Elasticsearch+Kibana+Logstash 6.5 Logstash	12	2822	February 8, 2019
Add existing fields to my logstash Logstash	9	844	October 19, 2021
How to configure logstash to index json logs including all fields Logstash	6	4934	July 6, 2017

How can I add Json-Data to historic index

Related topics