How to separate objects inside an array of objects?

Mary2022 · July 21, 2022, 11:08am

Hi,

I still new to ELK and I have been trying to process data that come to me as json file. The json file looks lie this.

[
	{
		"user": "Beta",
		"percent": 28,
		"startTime": "2022-07-07T11:31:45",
		"type": "CPU",
		"total": 1072987793,
		"Location": "locationB",
		"desk": "MAC"
	},
	{
		"user": "Alpha",
		"percent": 86,
		"startTime": "2022-07-07T11:31:45",
		"type": "CPU",
		"total": 1072987733,
		"Location": "locationA",
		"desk": "LIN"
	},
	{
		"user": "Charlie",
		"percent": 03,
		"startTime": "2022-07-07T11:31:45",
		"type": "CPU",
		"total": 1072987724,
		"Location": "locationA",
		"desk": "LIN"
	},

	{
		"user": "test",
		"percent": 15,
		"startTime": "2022-07-07T11:31:45",
		"type": "CPU",
		"total": 1072987778,
		"Location": "locationB",
		"desk": "MAC"
	},

	{
		"user": "Delta",
		"percent": 28,
		"startTime": "2022-07-07T11:31:45",
		"type": "CPU",
		"total": 1072987793,
		"Location": "location1",
		"desk": "MAC"
	},

	{
		"user": "Juliana",
		"percent": 28,
		"startTime": "2022-07-07T11:31:45",
		"type": "CPU",
		"total": 1072987793,
		"Location": "location1",
		"desk": "MAC"
	}
]

Each object inside of that array has to be index. Is there a way to do that? How can I separate or process each object separate?

Badger · July 21, 2022, 12:46pm

If you want each entry in the array to be a separate event then use a split filter.

Mary2022 · July 22, 2022, 10:39am

I added the split filter but I am not sure if I am using it right since my array doesn't have a field name/id before the array of objects starts. Below is what I am planning to try today and I added some comments with what I am trying to get but I feel like maybe I need a loop or so.


#This is my input:

input {
	http {
		port => 8287
		ssl => true
		ssl_certificate_authorities => ["xxxxxxxxxxxxxxxx.crt"]
		ssl_certificate => "path.crt"
		ssl_key => "xxxxxxxxxxxxxxxxxx"
		ssl_verify_mode => peer
	}
}


filter {

	split {
		field => "/n"
	}
#After split I want each object to be parse shoudl I use json filter?
	json {source => "message"}

#Then I want to use this grock for the parse of each object/event
	grok {
	match => { "desktop" => "(?<site>^.{2}%{DATA}-%{DATA}%{INT:pod}%{GREEDYDATA}" }
	}

#I want to add and remove fields in each object/event	
	mutate {
	add_field => { 'processed_at' => "%{@timestamp}" }
	remove_field => ["headers"]
	}

	date {
		match => ['startTime', "yyyy-MM-dd'T'HH:mm:ss", "ISO8601"]
		remove_field => ['startTime']
	}
}


#Then I want to send/index each event that was parse.
output {

elasticsearch {
	hosts=>["https:xxxxxx:9200, "https:xxxxxx:9200]
	index => "testCM"
	user => XXXX
	password => "xxxxxxxxx"
	keystore => "xxxx.jks"
	keystore_password => "xxxxxx"
	cacert => "xxxxxxxxxxxxx.crt"
	}
}

Mary2022 · July 26, 2022, 6:56pm

Does the below sounds right?

system · August 23, 2022, 6:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Trying to parse a multine array of json objects with logstash split and json Logstash	6	1568	July 5, 2019
Separate Documents from log (JSON) Logstash	0	12	October 21, 2024
How to make a field hold an array, and how to put values in there, and how to loop through an array? Logstash	1	191	March 24, 2021
Parse array of json objects in json Logstash	5	2522	December 4, 2017
Nested objects, to flatten or split? Logstash	2	535	December 24, 2019

How to separate objects inside an array of objects?

Related topics