How to parse multiple nested arrays

Ankita_Pachauri · September 20, 2023, 2:08am

Hello everyone,

I am trying to parse a json document using logstash version 8.3.3. The json document has multiple nested arrays, to flatten the document split is being used inside the filter. The issue is that the splits are taking too long to complete almost 15-20 mins for 10 documents and most of the time this also hangs logstash. I have also tried using multiple workers without any luck. The system running logstash has 24 GB dedicated to logstash JVM. Does anyone know of a better method to parse the document properly, maybe without using split? (Attaching sample document and filter being used).

Sample Data:

{
  "AppManager-response": {
    "result": {
      "response": {
        "Monitorinfo": {
          "Attribute": [
            "",
            "",
            "",
            "",
            "",
            "",
            "",
            "",
            "",
            "",
            "",
            "",
            "",
            ""
          ],
          "CHILDMONITORS": [
            {
              "CHILDMONITORINFO": [
                {
                  "CHILDATTRIBUTES": [
                    "",
                    "",
                    "",
                    ""
                  ]
                },
                {
                  "CHILDATTRIBUTES": [
                    "",
                    "",
                    "",
                    ""
                  ]
                }
              ]
            },
            {
              "CHILDMONITORINFO": [
                {
                  "CHILDATTRIBUTES": [
                    "",
                    "",
                    "",
                    ""
                  ]
                },
                {
                  "CHILDATTRIBUTES": [
                    "",
                    "",
                    "",
                    ""
                  ]
                }
              ]
            }
          ]
        }
      }
    }
  }
}

Filter Used:

filter{

split{field => "[result][response][0][Attribute]"}
split{field => "[result][response][0][CHILDMONITORS]", target => "splitjson"}
split{field => "[splitjson][CHILDMONITORS]", target => "nestedsplitjson"}
split{field => "[nestedsplitjson][CHILDATTRIBUTES]", target => "finalsplitjson"}

}

Kindly assist.

Badger · September 20, 2023, 7:50pm

If you look at the code you will see that if the split value is empty then it is discarded. So when you do the split on

    "Monitorinfo": {
      "Attribute": [
        "",
        "",
        "",
        "",
        "",
        "",
        "",
        "",
        "",
        "",
        "",
        "",
        "",
        ""
      ],

the split filter breaks it up into 14 parts, discards them all, and then cancels the event it split.

Ankita_Pachauri · September 21, 2023, 8:17am

Thanks for your response, and sorry for the confusion. Unfortunately I will not be able to share the complete data set as it contains sensitive information hence I have only shared the blank template. I am getting data inside these arrays. Do you know of any other way of splitting these nested arrays?

system · October 19, 2023, 8:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to parse multiple nested arrays Logstash	1	127	November 6, 2023
How to parse multiple json files with nested json arrays in it Logstash	1	1321	September 4, 2017
Parsing nested json Logstash	2	241	September 30, 2020
Logstash how to parse and split nested json file Logstash	10	1815	June 20, 2022
Split into field nested array JSON Logstash	1	337	January 24, 2019

How to parse multiple nested arrays

Related Topics