How to fetch out the array values

Elastic Stack Logstash
1

Hi,
I have below sample data

{
   "logtype":"demo" ,"operation":"demoStatus",
   "Stats":[
      { "apiName":"a",          "failedCount":0,     "successCount":0 },
      { "apiName":"b",         "failedCount":0,      "successCount":0 },  
      { "apiName":"c",        "failedCount":25,    "successCount":344 },
      { "apiName":"d",         "failedCount":0,     "successCount":0 }
   ]
}

I want to fetch out the values from the array. So that the output result should be like
expected output of array

Stats.apiNamea      : a
Stats.failedCounta  : 0
Stats.successCounta : 0

Stats.apiNameb[Stats.apiName(apiName value)] : b 
Stats.failedCountb  : 0
Stats.successCountb : 0

Could someone please help us ?

2

[Stats][0][apiNamea] for a
[Stats][0][failedCount] for 0
[Stats][0][successCount] 0
[Stats][1]... for 2nd element

If you want a loop, use Ruby.

3

Wouldn't be better to have each item on the array as a different document? This is normally the approach when you have arrays like this.

In this case, from the sample document you shared, you would end up with 4 documents:

 { "logtype":"demo" ,"operation":"demoStatus","Stats": { "apiName":"a", "failedCount":0, "successCount":0 } }
 { "logtype":"demo" ,"operation":"demoStatus","Stats": { "apiName":"b", "failedCount":0, "successCount":0 } }
 { "logtype":"demo" ,"operation":"demoStatus","Stats": { "apiName":"c", "failedCount":25, "successCount":344 } }
 { "logtype":"demo" ,"operation":"demoStatus","Stats": { "apiName":"d", "failedCount":0, "successCount":0 } }

You can do that using the split filter.

1 Like
4

Thanks @leandrojmp for the reply

But if the number of elements in array are more in that case there are so many different documents. So having different logs is not suitable for the usecase. In this case the hits should be more for the single logs that might affect the result on the kibana.

Instead if the same log can be processed and we are able to store all those key values in the same log.

As key name is same I am thinking to use to iterate through the loop and append it with name of key with the value.

If it can be possible that will be good for my usecase.
Or if there is any another approch which I can try please suggest.

5

Thanks @Rios
I will try this and update.

6

It's better to use split as Leandro suggested. It's not came to my mind.

7

This could lead to having a lot of fields in your index which may have impact in performance.

Also, how are you planning to use this data? For example, if you append the name of the key to the fields of failedCount and successCount you won't be able to plot a graphic comparing which API has more fails or success because the field name is different.

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.