How to parse API HTTP output data

Elastic Stack Logstash
1

Hello Team,
I am running an API to get servicestatus data which looks like :

{
    "recordcount": 11906,
    "servicestatus": [
        {
            "host_name": "unixteam.abc.com",
            "service_description": "Disk Usage on \/var\/opt\/ansible",
            "display_name": "Disk Usage on \/var\/opt\/ansible",
            "host_object_id": "6512",
            "host_address": "123.45.67.202",
            "host_alias": "unixteam.abc.com",
            "icon_image": "",
            "icon_image_alt": "",
            "notes": "",
            "notes_url": "",
            "action_url": "",
            "servicestatus_id": "21119",
            "instance_id": "1",
            "service_object_id": "10616",
            "status_update_time": "2023-04-25 10:06:46",
            "output": "OK: Used_percent was 0.00 %",
            "long_output": "",
            "perfdata": "'used_percent'=0.00%;90;95;",
            "last_check": "2023-04-25 09:57:23",
            "next_check": "2023-04-25 10:07:22",
            "check_type": "0",
            "check_options": "0",
            "last_state_change": "2022-10-31 04:36:40",
            "last_hard_state_change": "2022-10-31 04:36:40",
            "last_hard_state": "0",
            "last_time_ok": "2023-04-25 09:57:23",
            "last_time_warning": "1969-12-31 19:00:00",
            "last_time_unknown": "2022-10-27 18:22:17",
            "last_time_critical": "2022-10-27 17:31:04",
            "state_type": "1",
            "last_notification": "1969-12-31 19:00:00",
            "next_notification": "1969-12-31 19:00:00",
            "no_more_notifications": "0",
            "notifications_enabled": "1",
            "problem_has_been_acknowledged": "0",
            "percent_state_change": "0",
            "check_command": "check_xi_ncpa!-t 'mytoken' -P 5693 -M 'disk\/logical\/|var|opt|ansible\/used_percent' -w 90 -c 95",
            "normal_check_interval": "10",
            "retry_check_interval": "2",
            "check_timeperiod_object_id": "145"
        }    ]
}

I tried to use mutate filter in my code as explained in existing topics in forum as below :


input {

file {
    path => "/home/evs16/test.json"
    start_position => beginning
    sincedb_path => "/dev/null"
  }

filter {
    json {
#rs    source => "servicestatus"
    source => "message"
         }
   mutate {
    add_field => { "hostname" => "{%[servicestatus][host_name]}"
                   "service_description" => "{%[servicestatus][service_description]}"
#rs                   "check_command" => "%{[check_command]}"
                  }
      }
}
output {
        stdout { codec => rubydebug }
   
}

But I am not getting expected field as output but something like below as output



           "@timestamp" => 2023-04-26T11:19:06.940Z,
               "@version" => "1",
    "service_description" => "{%[servicestatus][service_description]}",
                   "path" => "/home/evs16/test.json",
                   "host" => "gvabc01q",
               "hostname" => "{%[servicestatus][host_name]}",
                "message" => "            \"service_description\": \"Disk Usage on \\/var\\/opt\\/ansible\","

Please help , I simply wants to extract few fields from above api output or If any similar post we already must be having that would help

2

Is the return of your API in the file /home/evs16/test.json a single line json or you have it pretty printed like you shared?

Logstas reads the file line by line, each line is an document/event, so your return event from the API needs to be in a single line or you will need to use the multiline codec.

3

Actually, for testing purpose I had put data in file input as actual API has a huge output. I will try mutliline codec as advised and come back if any further issue I face.
Thanks Leandro.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.