How to parse nested json through logstash

Rahul_rr · June 16, 2020, 12:08pm

I'm getting the data from sqs queue as a nested json and parsing through logstash. i tried some approaches but it didn't work. Below is my sample nested json.
{
"service_event": {
"id": 166175,
"equipment": {
"id": 166175,
"equipment_number": "CRTE123456",
"equipment_type": "Tractor",
"associated_container_number": null,
"associated_tractor_number": "CRTE123456",
"associated_trailer_number": null
},
"event_code": "AA165585",
"source": "web",
"td": {
"id": 304,
"name": "Crete Carrier"
},
"ep": {
"id": 9,
"name": "NACPC"

Here is my logstash conf file:
filter {
json {
source => "Message"
target => "parsed"
}

mutate {
add_field => {

	"service_id" => "%{[parsed][service_event][id]}"
	"equipment_id" => "%{[parsed][service_event][equipment][id]}"
	"equipment_number" => "%{[parsed][service_event][equipment][equipment_number]}"
	"equipment_type" => "%{[parsed][service_event][equipment][equipment_type]}"
	
}

This is what i'm getting in ruby debug output:
"equipment_type" => "%{[parsed][service_event][0][equipment][equipment_type]}",
"equipment_number" => "%{[parsed][service_event][0][equipment][equipment_number]}"
}

What am i doing wrong. Any help is appreciated. Thanks

Badger · June 16, 2020, 3:20pm

service_event does not appear to be an array, so remove the [0]

Rahul_rr · June 17, 2020, 6:38am

I removed the target => parsed from my json filter and it is working fine now.
But i'm getting another error because of my timestamp fields. Because some of my timestamp fields are null for some events (for eg: when my event gets created i will get value in "open_time" field and my "completed_time" gets null value until the events gets completed). So, in this case how to resolve? any suggestions.
Thanks.

Rahul_rr · June 18, 2020, 12:20pm

Some of my fields are null values in the nested json. So, when I parse the nested json through logstash, it is not getting parsed.

Pls look at my output image and tell me some suggestions. Thanks

ptamba · June 18, 2020, 12:25pm

you will have to use conditionals to check for not null before applying mutations. add_field will add arbitrary values, so if the value is null, it will add the reference to the value

Rahul_rr · June 18, 2020, 12:28pm

I tried some ruby filters but none of them is working. Can you please post some examples, so that I can understand clearly. Thanks

ptamba · June 18, 2020, 12:36pm

for example

if  [service_event][equipment][id] {
  mutate { 
    add_field => { 
      “[equipment_id] => “%{[service_event][equipment][id]} 
     } 
  } 
}

will only assign the value of [service_event][equipment][id] to [equipment_id] if the value is not null.

Rahul_rr · June 18, 2020, 2:55pm

Thanks @ptamba. I have one more query on array type json. In my case i'm getting the array json dynamically.
for eg.., 1st event==>"service_lines" => [
[0] {
"aar" => {
"category" => {
"id" => 42,
"name" => "Tires"
},
"system" => {
"id" => 1,
"name" => "Tire"
},
"subsystem" => {
"id" => 1,
"name" => "Tire"
},
"service" => {
"id" => 53,
"name" => "Service Call - Tire"
}
},
"id" => 586131,
"is_approved" => nil,
"vmrs" => nil
},

For one event i will get one array and for another i may get 2 or 3 arrays. So, in that case how to parse my json. Any suggestions. Thanks for your help.

system · July 16, 2020, 2:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parse nested json Logstash	9	6395	July 6, 2017
How can I parse nested JSON strings to JSON objects? Logstash	7	1457	November 28, 2021
Unable to parse nested json using logstash json filter Logstash	6	1187	October 16, 2019
How to parse nested logs with JSON through logstash Logstash	5	3362	August 19, 2020
Nested json imposible to parse Logstash	7	1505	July 6, 2017

How to parse nested json through logstash

Related topics