How to get the field value from an object

uma_parvathy · September 4, 2023, 10:36am

i've a case_number which has a field "task_id". i need to use that id to get all task details. i tried to get the value , it is empty. please help me out.

Here is the Elasticsearch pulled data

{
        "_index": "logstash_itsm_incidents_parent",
        "_id": "7xV-X4oBCe2ml7OsvNHn",
        "_score": 1,
        "_source": {
          "tags": [
            "_jdbcstreamingdefaultsused"
          ],
          "incident_number": "INC0055453",
          "case_number_id": "CS0017821",
          "task_id": "case_number.task_id",
          "sub_account_id": "ACCT7",
          "@version": "1",
          "tasks": {},
          "sub_site_id": "",
          "account_id": "ACCT6",
          "@timestamp": "2023-09-04T09:36:29.104550Z",
          "case_number": {
            "case_number": "CS21",
            "device_name": "",
            "ticket_classification": "Reactive",
            "device_id": "ACCTRUR7GOSBB",
            "configuration_item": "A0",
            "task_id": "CS0017821",
            "alert_id": ""
          },
          "transaction": {
            "asset_serial_number": "",
            "reporting_sensor_count": null,
            "impacted_device_count": 1
          },
          "state": "New",
          "closed_at": null,
          "short_description": "Rouge AP",
          "description": "Rouge AP",
          "site_id": "ACCT0011318",
          "updated_at": "2022-04-12T10:00:05.000Z",
          "incident_parent_id": null
        }

Here my task id comes as "task_id": "case_number.task_id".

and tasks as {} .

From the below case number detail, i've to get the task_id and assign to task_id variable and use that task_id to pull task details and store it in tasks.

          "case_number": {
            "case_number": "CS21",
            "device_name": "",
            "ticket_classification": "Reactive",
            "device_id": "ACSBB",
            "configuration_item": "A0",
            "task_id": "CS0017821",
            "alert_id": ""
          },

The configuration is being used as per below one. i tried add_field{"task_id" => [case_number][task_id]} as well as add_field{"task_id" => case_number.task_id} both failed . how to set the task_id field value from case_number

input {
    jdbc {
        jdbc_driver_library => "/usr/local/Cellar/logstash/8.9.0/libexec/logstash-core/lib/jars/postgresql-jdbc.jar"
        jdbc_connection_string => "jdbc:postgresql://localhost:5432/pl_itsm_stg"
        jdbc_user => "postgres"
        jdbc_password => "root"
        jdbc_driver_class => "org.postgresql.Driver"
        tracking_column_type => "timestamp"
        schedule => "0 * * * *" # cronjob schedule format (see "Helpful Links")
        statement => "SELECT incident_number, site_id, sub_site_id, account_id, sub_account_id, closed_at, state, short_description, description, incident_parent_id, updated_at, case_number_id from customerdata_incident"
        jdbc_fetch_size => "100000"
        jdbc_paging_enabled => "true"
	jdbc_page_size => "300"
    }
}

filter {
        if [case_number_id] {
                jdbc_streaming {
                        jdbc_driver_library => "/usr/local/Cellar/logstash/8.9.0/libexec/logstash-core/lib/jars/postgresql-jdbc.jar"
                        jdbc_connection_string => "jdbc:postgresql://localhost:5432/pl_itsm_stg"
                        jdbc_user => "postgres"
                        jdbc_password => "root"
                        jdbc_driver_class => "org.postgresql.Driver"
                        statement => "select case_number,device_id, device_name, alert_id, ticket_classification, configuration_item, task_id from customerdata_case WHERE case_number = :case_id"
                        parameters => { "case_id" => "case_number_id"}
                        target => "case_number"
                }
        	ruby {
                        code => '
                                        cases = event.get("case_number")
                                        if cases.is_a? Array
                                                event.set("case", cases[0])
                                        end
                                '

        	}
        	if [case] {
                	mutate {
                        	rename => {"case" => "case_number"}
                                add_field =>{"task_id" => case_number.task_id} 
                	}
        	}
		
		if [task_id] {
			jdbc_streaming {
                        	jdbc_driver_library => "/usr/local/Cellar/logstash/8.9.0/libexec/logstash-core/lib/jars/postgresql-jdbc.jar"
                        	jdbc_connection_string => "jdbc:postgresql://localhost:5432/pl_itsm_stg"
                        	jdbc_user => "postgres"
                        	jdbc_password => "root"
                        	jdbc_driver_class => "org.postgresql.Driver"
                        	statement => "select task_number, task_type from customerdata_task WHERE task_number = :task_num"
                        	parameters => { "task_num" => "task_id"}
                        	target => "tasks"
                	}
                	ruby {
                        	code => '
                                        task_info = event.get("tasks")
                                        if task_info.is_a? Array
                                                event.set("task_info", task_info[0])
                                        end
                                '

                	}
                        mutate {
                                rename => {"task_info" => "tasks"}
                        }
		}

        }
        jdbc_streaming {
                        jdbc_driver_library => "/usr/local/Cellar/logstash/8.9.0/libexec/logstash-core/lib/jars/postgresql-jdbc.jar"
                        jdbc_connection_string => "jdbc:postgresql://localhost:5432/pl_itsm_stg"
                        jdbc_user => "postgres"
                        jdbc_password => "root"
                        jdbc_driver_class => "org.postgresql.Driver"
                        statement => "select asset_serial_number, impacted_device_count, reporting_sensor_count from incident_transaction WHERE incident_id = :inc_id"
                        parameters => { "inc_id" => "incident_number"}
                        target => "transaction"
        }
        if [transaction] {
                        ruby {
                                code => '
                                        transactions = event.get("transaction")
                                        if transactions.is_a? Array
                                                event.set("transaction", transactions[0])
                                        end
                                '

                        }
	}
	if [incident_parent_id] {
  		jdbc_streaming {
        		jdbc_driver_library => "/usr/local/Cellar/logstash/8.9.0/libexec/logstash-core/lib/jars/postgresql-jdbc.jar"
        		jdbc_connection_string => "jdbc:postgresql://localhost:5432/pl_itsm_stg"
        		jdbc_user => "postgres"
        		jdbc_password => "root"
        		jdbc_driver_class => "org.postgresql.Driver"
    			statement => "select incident_number, company, sub_site_id, site_id, account_id, sub_account_id, issue_type, incident_state, resolved_at, resolved_by, impact, state, urgency from customerdata_incident WHERE incident_number = :parent_id"
    			parameters => { "parent_id" => "incident_parent_id"}
    			target => "incident_parent_id"
  		}
 
        }
        ruby {
			code => '
    					incident_parent = event.get("incident_parent_id")
    					if incident_parent.is_a? Array
						event.set("parent_id", incident_parent[0])
                                        end
                                '

        }	
        if [parent_id] {
		mutate {
                        rename => {"parent_id" => "incident_parent_id"}
                }
        }
	mutate {
		copy => {"id" => "[@metadata][_id]"}
                
	}
}
output {
	stdout { codec => "json" }
	elasticsearch {
		hosts => ["https://localhost:9200"]
                ssl => true
                ssl_certificate_verification => false
                cacert => "/Users/dev/ca_logstash.cer"
		user => "elastic"
		password => "+K"
		index => "logstash_itsm_incidents_parent"
                ilm_enabled => true
	}
}

uma_parvathy · September 5, 2023, 9:40am

i tried the below command.

mutate {
     add_field{"task_id" => "%{case_number[task_id]}"}
}

I got mutate error in the log.

2023-09-05T15:00:01,139][WARN ][logstash.filters.mutate  ][main][3c01554ad8a1ecfbdd4206a3581fd425a377228a0b1392e8e0f765ec82e6d2c7] Exception caught while applying mutate filter {:exception=>"Invalid FieldReference: `case_number[task_id]`", :backtrace=>["org.logstash.FieldReference$StrictTokenizer.tokenize(FieldReference.java:354)", "org.logstash.FieldReference.parse(FieldReference.java:244)", "org.logstash.FieldReference.parseToCache(FieldReference.java:235)", "org.logstash.FieldReference.from(FieldReference.java:158)", "org.logstash.Event.getField(Event.java:193)", "org.logstash.StringInterpolation.evaluate(StringInterpolation.java:108)", "org.logstash.Event.sprintf(Event.java:406)", "org.logstash.ext.JrubyEventExtLibrary$RubyEvent.ruby_sprintf(JrubyEventExtLibrary.java:202)", "usr.local.Cellar.logstash.$8_dot_9_dot_0.libexec.logstash_minus_core.lib.logstash.util.decorators.RUBY$block$add_fields$2(/usr/local/Cellar/logstash/8.9.0/libexec/logstash-core/lib/logstash/util/decorators.rb:34)", "org.jruby.runtime.CompiledIRBlockBody.yieldDirect(CompiledIRBlockBody.java:151)", "org.jruby.runtime.BlockBody.yield(BlockBody.java:106)", "org.jruby.runtime.Block.yield(Block.java:188)", "org.jruby.RubyArray.each(RubyArray.java:1865)", "usr.local.Cellar.logstash.$8_dot_9_dot_0.libexec.logstash_minus_core.lib.logstash.util.decorators.RUBY$block$add_fields$1(/usr/local/Cellar/logstash/8.9.0/libexec/logstash-core/lib/logstash/util/decorators.rb:33)", "org.jruby.runtime.CompiledIRBlockBody.yieldDirect(CompiledIRBlockBody.java:151)", "org.jruby.runtime.IRBlockBody.yieldSpecificMultiArgsCommon(IRBlockBody.java:110)", "org.jruby.runtime.IRBlockBody.yieldSpecific(IRBlockBody.java:122)", "org.jruby.runtime.Block.yieldSpecific(Block.java:175)", "org.jruby.RubyHash$10.visit(RubyHash.java:1539)", "org.jruby.RubyHash$10.visit(RubyHash.java:1535)", "org.jruby.RubyHash.visitLimited(RubyHash.java:727)", "org.jruby.RubyHash.visitAll(RubyHash.java:712)", "org.jruby.RubyHash.iteratorVisitAll(RubyHash.java:1495)", "org.jruby.RubyHash.each_pairCommon(RubyHash.java:1530)", "org.jruby.RubyHash.each(RubyHash.java:1519)", "usr.local.Cellar.logstash.$8_dot_9_dot_0.libexec.logstash_minus_core.lib.logstash.util.decorators.RUBY$method$add_fields$0(/usr/local/Cellar/logstash/8.9.0/libexec/logstash-core/lib/logstash/util/decorators.rb:30)", "usr.local.Cellar.logstash.$8_dot_9_dot_0.libexec.logstash_minus_core.lib.logstash.util.decorators.RUBY$method$add_fields$0$__VARARGS__(/usr/local/Cellar/logstash/8.9.0/libexec/logstash-core/lib/logstash/util/decorators.rb:29)", "org.jruby.internal.runtime.methods.CompiledIRMethod.call(CompiledIRMethod.java:139)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:112)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:85)", "org.jruby.ir.instructions.CallBase.interpret(CallBase.java:549)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:361)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:72)", "org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:86)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:201)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:188)", "org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:218)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:173)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:316)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:72)", "org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:86)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:201)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:188)", "org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:383)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:185)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:338)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:72)", "org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:86)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:201)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:188)", "usr.local.Cellar.logstash.$8_dot_9_dot_0.libexec.logstash_minus_core.lib.logstash.filters.base.RUBY$block$multi_filter$1(/usr/local/Cellar/logstash/8.9.0/libexec/logstash-core/lib/logstash/filters/base.rb:178)", "org.jruby.runtime.CompiledIRBlockBody.yieldDirect(CompiledIRBlockBody.java:151)", "org.jruby.runtime.BlockBody.yield(BlockBody.java:106)", "org.jruby.runtime.Block.yield(Block.java:188)", "org.jruby.RubyArray.each(RubyArray.java:1865)", "usr.local.Cellar.logstash.$8_dot_9_dot_0.libexec.logstash_minus_core.lib.logstash.filters.base.RUBY$method$multi_filter$0(/usr/local/Cellar/logstash/8.9.0/libexec/logstash-core/lib/logstash/filters/base.rb:175)", "org.jruby.internal.runtime.methods.CompiledIRMethod.call(CompiledIRMethod.java:165)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:185)", "org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:218)", "org.logstash.config.ir.compiler.FilterDelegatorExt.doMultiFilter(FilterDelegatorExt.java:128)", "org.logstash.config.ir.compiler.AbstractFilterDelegatorExt.lambda$multiFilter$0(AbstractFilterDelegatorExt.java:133)", "org.logstash.instrument.metrics.timer.ConcurrentLiveTimerMetric.time(ConcurrentLiveTimerMetric.java:47)", "org.logstash.config.ir.compiler.AbstractFilterDelegatorExt.multiFilter(AbstractFilterDelegatorExt.java:133)", "org.logstash.generated.CompiledDataset2.compute(Unknown Source)", "org.logstash.generated.CompiledDataset4.compute(Unknown Source)", "org.logstash.generated.CompiledDataset2.compute(Unknown Source)", "org.logstash.generated.CompiledDataset2.compute(Unknown Source)", "org.logstash.generated.CompiledDataset2.compute(Unknown Source)", "org.logstash.generated.CompiledDataset5.compute(Unknown Source)", "org.logstash.generated.CompiledDataset3.compute(Unknown Source)", "org.logstash.generated.CompiledDataset2.compute(Unknown Source)", "org.logstash.generated.CompiledDataset4.compute(Unknown Source)", "org.logstash.generated.CompiledDataset2.compute(Unknown Source)", "org.logstash.generated.CompiledDataset6.compute(Unknown Source)", "org.logstash.generated.CompiledDataset3.compute(Unknown Source)", "org.logstash.generated.CompiledDataset2.compute(Unknown Source)", "org.logstash.generated.CompiledDataset6.compute(Unknown Source)", "org.logstash.config.ir.CompiledPipeline$CompiledUnorderedExecution.compute(CompiledPipeline.java:347)", "org.logstash.config.ir.CompiledPipeline$CompiledUnorderedExecution.compute(CompiledPipeline.java:341)", "org.logstash.execution.ObservedExecution.lambda$compute$0(ObservedExecution.java:17)", "org.logstash.execution.WorkerObserver.lambda$observeExecutionComputation$0(WorkerObserver.java:39)", "org.logstash.instrument.metrics.timer.ConcurrentLiveTimerMetric.time(ConcurrentLiveTimerMetric.java:47)", "org.logstash.execution.WorkerObserver.lambda$executeWithTimers$1(WorkerObserver.java:50)", "org.logstash.instrument.metrics.timer.ConcurrentLiveTimerMetric.time(ConcurrentLiveTimerMetric.java:47)", "org.logstash.execution.WorkerObserver.executeWithTimers(WorkerObserver.java:50)", "org.logstash.execution.WorkerObserver.observeExecutionComputation(WorkerObserver.java:38)", "org.logstash.execution.ObservedExecution.compute(ObservedExecution.java:17)", "org.logstash.execution.WorkerLoop.abortableCompute(WorkerLoop.java:113)", "org.logstash.execution.WorkerLoop.run(WorkerLoop.java:86)", "java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)", "java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)", "java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)", "java.base/java.lang.reflect.Method.invoke(Method.java:568)", "org.jruby.javasupport.JavaMethod.invokeDirectWithExceptionHandling(JavaMethod.java:442)", "org.jruby.javasupport.JavaMethod.invokeDirect(JavaMethod.java:306)", "org.jruby.java.invokers.InstanceMethodInvoker.call(InstanceMethodInvoker.java:32)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:142)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:345)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:72)", "org.jruby.ir.interpreter.Interpreter.INTERPRET_BLOCK(Interpreter.java:116)", "org.jruby.runtime.MixedModeIRBlockBody.commonYieldPath(MixedModeIRBlockBody.java:136)", "org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:66)", "org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:58)", "org.jruby.runtime.Block.call(Block.java:143)", "org.jruby.RubyProc.call(RubyProc.java:309)", "org.jruby.internal.runtime.RubyRunnable.run(RubyRunnable.java:107)", "java.base/java.lang.Thread.run(Thread.java:833)"]}

appreciate your help. Thanks in advance.

Badger · September 5, 2023, 12:33pm

That should be %{[case_number][task_id]}.

uma_parvathy · September 6, 2023, 9:57am

thanks . it worked.

system · October 4, 2023, 9:58am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.