How to extract message from nested json

Dan · November 27, 2018, 12:14pm

this is below json format as input
I am getting overall message in the nested format

{
"_type": "json",
"_id": "AWdVED5hASX98xJL-Xkw",
"_score": 1,
"_source": {
"value1": "rajesh",
"@version": "1",
"host": "DESKTOP-xxxx",
"message": "03-Jan-18,rajesh,22\r",
"type": "json",
"date1": "03-Jan-18",
"cumvalue": "22",
"abcxyz": {
"value1": "rajesh",
"@version": "1",
"host": "DESKTOP-xxxx",
"message": "03-Jan-18,rajesh,22\r",
"type": "json",
"date1": "03-Jan-18",
"cumvalue": "22"
}
},
"fields": {
"abcxyz.@timestamp": [
1543320387251
],
"@timestamp": [
1543320387251
]
}
}

column like "date1","value1","cumvalue" i am not interested in this columns

i just interested in nested node i.e abcxyz

i want to sent this(abcxyz) as a message by dropping all other columns

my final output should looks like below

"abcxyz": {
  "value1": "rajesh",
  "@version": "1",
  "host": "DESKTOP-xxxxx",
  "message": "03-Jan-18,rajesh,22\r",
  "type": "json",
  "date1": "03-Jan-18",
  "cumvalue": "22"
}

i tried with below config file here I don't want to use multiple rename filters
I just simply wants to drop original message and replace that message with nested json message(abcxyz)

> input{
> 
> 	} 
> filter {
> 
> 
> split {field => "[abcxyz]"}
> 
> 		mutate {	
> 				rename => { "[abcxyz][date1]" => "date1" }
> 				rename => { "[abcxyz][value1]" => "value1" }
> 				rename => { "[abcxyz][cumvalue]" => "cumvalue" }
> 				}
> 
> 
> 	} 
> output {  
> elastic
> }

Eniqmatic · November 27, 2018, 12:38pm

Simply use a "remove_field" configuration to remove all the fields you do not want.

system · December 25, 2018, 12:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.