How can I parse array of objects using Logstash?

cezar996 · April 18, 2020, 12:22pm

Hello everybody!

Does anybody knows how can I parse an array of objects of this type: [{name:Cezar, age:23}, {name:Leon, age:22}, {name:Steven, age:33}]. Every object should be an event in Discovery Section. Please take into consideration that this array is written in a single line (it comes from some logs extracted in Elasticsearch). I have tried and read a lot of configurations and I did't solve the problem.

Thanks in advance!

Badger · April 18, 2020, 5:11pm

Use a json filter with the target option set, then use a split filter.

stcdarrell · April 19, 2020, 2:57am

seems to be an array of jsons..

without more of the schema its kinda hard.. but it'll be either

filter {
     json{
             source => "[name_of_field]"
     }
}

or

filter {
 split {
   field => "[name_of_field]"
 }
}

cezar996 · April 20, 2020, 8:53am

Thank you guys for your responses! I don't understand what "[name_of_field]" refers to. I don't have anything before [. My file contains a large JSON array of 30 MB which begins with [ and ends with ], having nothing before or after. If I want to edit this big file, I use Notepad, but it works very very slow. So it won't be a very good solution to append a field in front of the array. Therefore, taking into consideration my above example, [{name:Cezar, age:23}, {name:Leon, age:22}, {name:Steven, age:33}] , by using Logstash, I want to get in Elasticsearch an index with 3 docs. Every doc should have these 2 columns: name and age. The first one with (Cezar,23), the second one with (Leon, 22), etc.
Do you know how could I do this more exactly? Thanks in advance!

Badger · April 20, 2020, 3:22pm

[name_of_field] is a reference to a field called name_of_field. You did not tell us what your field name is, and we have no way of knowing. If your field is called message then you would use [message] in those filters.

cezar996 · April 21, 2020, 8:29am

Hi @Badger!

Thank you for your precious replies! I have read numerous topics on discuss.elastic.co and I saw you gave very important pieces of advice. I have succeeded in sending data to Elasticsearch for the example above where I had an array with 3 objects. In order to do that, I have used the following configuration in Logstash:

input {
  file {
    path => ["/home/..../json-file-name"]
    start_position => "beginning"
    sincedb_path => ["/home/..../sincedb"]
    codec => "json"
  }
}

filter {
if [message] {
    drop { }
  }
}

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "setlogs-%{+YYYY.MM.dd}"
  }
  
  stdout {
	codec => rubydebug
  }
}

It works for my example with 3 objects. But when try to do this for my JSON array which has 30 MB and almost 4300 objects, Logstash doesn't print anything. It is like it waits for some input. I let Logstash running for 50 min. but when I saw there is no output I closed it. Do you have any idea what happened?

Badger · April 21, 2020, 3:31pm

Interesting. If you have a json codec then if it successfully parses the event it does not set the [message] field. So this is dropping any events that were not successfully parsed. It is a really, really obscure way to achieve that, and will confuse a lot of people. I suggest you remove that and see what you get on stdout.

I suggest you remove

system · May 19, 2020, 3:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parsing array of json objects with logstash and injesting to elastic Logstash	9	11263	November 12, 2019
Parsing Array Object in Logstash Logstash	8	6702	February 20, 2018
Parsing json array Logstash	6	310	June 16, 2021
How to parse array of objects into separate field Logstash	4	312	September 12, 2023
Parse JSON array Logstash	1	222	November 23, 2021

How can I parse array of objects using Logstash?

Related Topics