How to Create Fields from Data in JSON Object

capsnumber1 · September 26, 2018, 6:02pm

I have JSON that looks like this:

"httpMessage":{

"method":"GET",
"query":"v=1.020.107",
"start":"1537967152",
"path":"/themes/main/js/jscript.js",
"protocol":"HTTP/1.1",
"requestHeaders":"Host: www.example.com Referer: https://www.example.com/pid/330254684876 Cookie: .ASPXANONYMOUS=0zu1biuM1AEkAAAAMjI4MDIyMzQtN2JlMS00NGMwLWEwODItZjFkODZmOGJiNmUzJL1MheQAQCYvMIQPQYdBIM7Mj4Y1 Accept-Language: en-US Cache-Control: max-age=21679 Connection: keep-alive Accept: / User-Agent: AdsBot-Google ( http://www.google.com/adsbot.html) Accept-Encoding: gzip,deflate,br ",
"responseHeaders":"Content-Type: application/javascript Last-Modified: Wed, 29 Aug 2018 17:34:53 GMT Accept-Ranges: bytes ETag: "e2e38c98be3fd41:0" Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Content-Encoding: gzip Content-Length: 26196 Cache-Control: max-age=0 Expires: Wed, 26 Sep 2018 13:05:52 GMT Date: Wed, 26 Sep 2018 13:05:52 GMT Connection: keep-alive Vary: Accept-Encoding ",
"port":"443",
"requestId":"d0ef6h75",
"bytes":"26196",
"host":"www.example.com",
"tls":"tls1.2",
"status":"200"

Logstash will correctly parse the JSON to httpMessage.requestHeaders as

"Host: www.example.com Referer: https://www.example.com/pid/330254684876 Cookie: .ASPXANONYMOUS=0zu1biuM1AEkAAAAMjI4MDIyMzQtN2JlMS00NGMwLWEwODItZjFkODZmOGJiNmUzJL1MheQAQCYvMIQPQYdBIM7Mj4Y1 Accept-Language: en-US Cache-Control: max-age=21679 Connection: keep-alive Accept: / User-Agent: AdsBot-Google ( http://www.google.com/adsbot.html) Accept-Encoding: gzip,deflate,br "

Question is, how can I pull out the individual pieces like "Host", "Referer", "Cookie", etc from within that JSON object into their own fields?? - example: httpMessage.requestHeaders.Host

magnusbaeck · September 26, 2018, 6:52pm

You can use a mutate filter to rename or copy fields to a new location. Just pay attention to how Logstash field references look; httpMessage.requestHeaders.Host must be referenced as [httpMessage][requestHeaders][Host].

https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html

capsnumber1 · September 26, 2018, 7:51pm

Thanks for your reply. So I added:

add_field => {
"TEST1" => "%{[httpMessage][requestHeaders][Host]}"
}

to my JSON filter section to try to pull that out into its own field.

This is what gets extracted into my TEST1 field: %{[httpMessage][requestHeaders][Host]}.

What am I doing wrong?

EDIT I think the reason it isn't working is that each value within the object does not have quotes around it. For example, it is Host and not "Host". Given this, what would be my workaround?

magnusbaeck · September 26, 2018, 9:05pm

The [httpMessage][requestHeaders] field isn't an object with discrete fields, it's a string with key/value pairs. You can parse it with a kv filter.

system · October 24, 2018, 9:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to add all elements in an array from json objects as fields in logstash Logstash	7	1463	April 16, 2018
Create a JSON Field from the existing string fields Logstash	1	316	December 17, 2018
Parse JSON input into fields Logstash	5	7012	March 19, 2018
How create fields using json fileter in logstash Logstash	11	353	July 9, 2020
How to frame json object in Logstash? Logstash	5	358	July 5, 2018

How to Create Fields from Data in JSON Object

Related Topics