How to split array without a target?

Elastic Stack Logstash
1

Hi,

I'm trying to split a JSON array into multiple events. Here's a sample input:

{"results" : [{"id": "a1", "name": "hello"}, {"id": "a2", "name": "logstash"}]}

Here's my filter and output config:

filter {
  split {
    field => "results"
  }
}
stdout { 
  codec => "rubydebug"
}

This produces close to what I'm looking for:

{                                              
       "results" => {                          
          "id" => "a1",                        
        "name" => "hello"                      
    },                                         
      "@version" => "1",                       
    "@timestamp" => "2015-05-30T18:33:21.527Z",
          "host" => "laptop",                                      
}                                              
{                                              
       "results" => {                          
          "id" => "a2",                        
        "name" => "logstash"                   
    },                                         
      "@version" => "1",                       
    "@timestamp" => "2015-05-30T18:33:21.527Z",
          "host" => "laptop",                                   
}

The problem is the nested "results" part. "results" being the default value for the target parameter.
Is there a way to use the split filter without producing the nested JSON, and get something like this:

{                                                                     
          "id" => "a1",                        
        "name" => "hello"                      
      "@version" => "1",                       
    "@timestamp" => "2015-05-30T18:33:21.527Z",
          "host" => "laptop",                                      
}                                              
{                                              
          "id" => "a2",                        
        "name" => "logstash"                   
      "@version" => "1",                       
    "@timestamp" => "2015-05-30T18:33:21.527Z",
          "host" => "laptop",                                   
}

EDITED:
The purpose is to feed this to the ElasticSearch output with each event being a document with document_id => "id". Any good solutions are welcomed!

2

Hello @aiden,
That's an interesting problem.

To have each 'result' a separate document, you have to split that single logstash event to two logstash events.
After that each of the two event has to be processed separately. One to use first result, second to use second result.

To duplicate an event, You can use 'clone' filter. For managing part of the evnets, I had tried to use 'mutate' filter, but it has some problems when moving elements of an array, so I filled a bug report, and used ruby for that.

Here is example POC for that :