How to filter single line json?

jeromeat · February 4, 2022, 12:16am

I am trying to figure out how to filter this single line of json data I have been able to pull via http_poller. I've obfuscated the data, but this is the format it's coming in as. I've never utilized a filter before, so I'm not sure how to go about this. Any help would be appreciated.

{"products":[{"test_level":"Green","title":"Testing Title one","executive_summary":"Test Executive summary","updated_at":"2018-10-15T17:50:28.000Z","threat_level":0,"serial":"Test-2020-01","test_count":0,"tags":[{"text":"Test Distribution","tag_type":"Testing"},{"text":"United States","tag_type":"GeographicLocation"},{"text":"Testing Location","tag_type":"Industry"}],"release_date":"2020-04-21T04:00:00.000Z","type":"Report Special","report_link":"https://portal.website.test/api/v1"},{"test_level":"Green","title":"Testing Title one","executive_summary":"Test Executive summary","updated_at":"2018-10-15T17:50:28.000Z","threat_level":0,"serial":"Test-2020-01","test_count":0,"tags":[{"text":"Test Distribution","tag_type":"Testing"},{"text":"United States","tag_type":"GeographicLocation"},{"text":"Testing Location","tag_type":"Industry"}],"release_date":"2020-04-21T04:00:00.000Z","type":"Report Special","report_link":"https://portal.website.test/api/v1"},{"test_level":"Green","title":"Testing Title one","executive_summary":"Test Executive summary","updated_at":"2018-10-15T17:50:28.000Z","threat_level":0,"serial":"Test-2020-01","test_count":0,"tags":[{"text":"Test Distribution","tag_type":"Testing"},{"text":"United States","tag_type":"GeographicLocation"},{"text":"Testing Location","tag_type":"Industry"}],"release_date":"2020-04-21T04:00:00.000Z","type":"Report Special","report_link":"https://portal.website.test/api/v1"},{"test_level":"Green","title":"Testing Title one","executive_summary":"Test Executive summary","updated_at":"2018-10-15T17:50:28.000Z","threat_level":0,"serial":"Test-2020-01","test_count":0,"tags":[{"text":"Test Distribution","tag_type":"Testing"},{"text":"United States","tag_type":"GeographicLocation"},{"text":"Testing Location","tag_type":"Industry"}],"release_date":"2020-04-21T04:00:00.000Z","type":"Report Special","report_link":"https://portal.website.test/api/v1"},```

Badger · February 4, 2022, 1:35am

Aren't you using a json codec on your http_poller input?

jeromeat · February 4, 2022, 1:57am

Yes I am. However, it’s parsing the one line as one line.

Badger · February 4, 2022, 2:42am

Use a json filter. You may need to use mutate+gsub to clean up the end of the [message] field before doing so.

jeromeat · February 8, 2022, 5:21pm

I fixed it using the following:

filter {
  split { field => "[products]" }
  split { field => "[products][code_level]" } 
   
}```

system · March 8, 2022, 5:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.