How do I parse inner fields from json?

Ben_Davis · January 9, 2017, 7:35pm

My log is full of nested json like so...

   {
         "foo": 1, 
              "result":{
                   "time":"2017-01-09T02.01:50.000+0000",
                   "product":"blahblah",
                   "quantity":"20"
              }
         }
    }

I only care about the innermost fields named time, product, and quantity. I want logstash to parse those into individual fields.

I've tried

filter{
   json{
      source => "result"
   }
}

And the output is one huge string containing the result field, it does not parse out the contents.

I've been all over the documentation but can't get it right. Any advice?

thank you,

Ben

Andrew_Cholakian1 · January 9, 2017, 8:33pm

@Ben_Davis you probably want to use a json or json_lines codec (not filter) with whatever input you're using. So, if you're using the stdin input you'd want input { stdin => { codec => json_lines } } in your input section. Then, you would use a prune filter to pick which fields you do/don't want.

Ben_Davis · January 9, 2017, 8:34pm

Thank you very much!

including

codec => "json"

in the input section seems to have done the trick.

system · February 6, 2017, 8:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Nested Json logs - how to filter correctly Logstash	12	4627	July 6, 2017
Nested json inside a json also getting parsed into different fields using JSON Filter Plugin Logstash	5	507	November 4, 2020
How to parse the json string Logstash	2	275	January 3, 2021
Parse nested json Logstash	9	6395	July 6, 2017
Logstash filtering nested JSON fields (mutate / grok) Logstash	4	1876	July 13, 2017

How do I parse inner fields from json?

Related topics