How to parse json values from http poller into event fields?

wailoont · June 20, 2018, 3:25am

I am using logstash http poller plugin to call an API to retrieve information. Below is my logstash conf.

input {
  http_poller {
    urls => {
      test2 => {
        method => get
        url => "http://localhost:9000/api/measures/component
        headers => {
          Accept => "application/json"
        }
     }
    }
    request_timeout => 60
    # Supports "cron", "every", "at" and "in" schedules by rufus scheduler
    schedule => { cron => "* * * * * UTC"}
    codec => "json"
    # A hash of request metadata info (timing, response headers, etc.) will be sent here
    metadata_target => "http_poller_metadata"
  }
}

output {
  elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => rubydebug }
}

The rubydebug output is below:

{
"measures" => [
            [0] {
                "periods" => [
                    [0] {
                        "index" => 1,
                        "value" => "-4"
                    }
                ],
                  "value" => "24",
                 "metric" => "ncloc"
            }
        ]
}

How do i parse the values in the json to key/value fields in the elasticsearch fields?
for example.

measures.value = 24
measures.metric = ncloc

magnusbaeck · June 20, 2018, 6:23am

The JSON has already been parsed into discrete fields. You only need to move/rename the [measures][0][value] and [measures][0][metric] fields to the desired location. Make sure you read https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#logstash-config-field-references to understand the difference between measures.value and [measures][value].

wailoont · June 21, 2018, 4:30am

Thank you magnus.

I managed to do it after added a filter function.

Final configuration is as below.

        input {
          http_poller {
            urls => {
              test2 => {
                method => get
                url => "http://localhost:9000/api/measures/component
                headers => {
                  Accept => "application/json"
                }
             }
            }
            request_timeout => 60
            # Supports "cron", "every", "at" and "in" schedules by rufus scheduler
            schedule => { cron => "* * * * * UTC"}
            codec => "json"
            # A hash of request metadata info (timing, response headers, etc.) will be sent here
            metadata_target => "http_poller_metadata"
          }
        }

        filter {
        json{
            source => "message"
        }
    	mutate { 
    	add_field => { "metric" => "%{[component][measures][0][metric]}"  } 
    	add_field => { "value" => "%{[component][measures][0][value]}"  } 
    	}
     }

        output {
          elasticsearch { hosts => ["localhost:9200"] }
          stdout { codec => rubydebug }
        }

system · July 19, 2018, 4:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.