How to split JSON nested arrays?

MrFrost · April 13, 2018, 1:05pm

Hello,

I have quite a problem in attempt to split tags below is what I have:

message: {"fields":{"value":9936},"name":"sqlserver_performance","tags":{"counter":"Log File(s) Size (KB)","host":"WIN","instance":"Total","object":"MSSQL$DB:Databases","sql_instance":"WIN:DB"},"timestamp":1523617465000000000}

After parsing it with JSON in logstash by using:

json {
        source => "message"
    }

I get below results in elasticsearch:

{
  "_index": "logstash-sql-2018.04.13",
  "_type": "doc",
  "_id": "RuetvmIB7heNFYtXabpg",
  "_version": 1,
  "_score": null,
  "_source": {
    "offset": 1225848,
    "@timestamp": "2018-04-13T11:04:25.000Z",
    "fields": {
      "value": 9936
    },
    "tags": [
      [
        "host",
        "WIN"
      ],
      [
        "object",
        "MSSQL$DB:Databases"
      ],
      [
        "counter",
        "Log File(s) Size (KB)"
      ],
      [
        "instance",
        "Total"
      ],
      [
        "sql_instance",
        "WIN:DB"
      ]
    ],
    "beat": {
      "version": "6.2.3",
      "hostname": "WIN",
      "name": "WIN"
    },
    "name": "sqlserver_performance",
    "host": "WIN",
    "date": "1523617465000",
    "timestamp": 1523617465000000000,
    "@version": "1",
    "source": "c:\\temp\\sql\\sqlperf.out",
    "message": "{\"fields\":{\"value\":9936},\"name\":\"sqlserver_performance\",\"tags\":{\"counter\":\"Log File(s) Size (KB)\",\"host\":\"WIN\",\"instance\":\"Total\",\"object\":\"MSSQL$DB:Databases\",\"sql_instance\":\"WIN:DB\"},\"timestamp\":1523617465000000000}"
  },
  "fields": {
    "@timestamp": [
      "2018-04-13T11:04:25.000Z"
    ]
  },
  "sort": [
    1523617465000
  ]
}

Now this is almost perfect but I need to split tags array to separate fields with proper data types and I have no idea how to do it. Hopefully someone can help.

Badger · April 13, 2018, 4:37pm

This reminds me of what you get without force_array => false in an xml filter

If I understand the ask correctly then you could do it with this:

ruby { code => ' event.set("tagsAsHash", event.get("tags").to_h) ' }

"tagsAsHash" => {
            "host" => "WIN",
        "instance" => "Total",
         "counter" => "Log File(s) Size (KB)",
          "object" => "MSSQL$DB:Databases",
    "sql_instance" => "WIN:DB"
},

MrFrost · April 16, 2018, 7:15am

Really nice and such simple code, thank you a lot for help

system · May 14, 2018, 7:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash how to parse and split nested json file Logstash	10	1826	June 20, 2022
Logstash and JSON array split Logstash	5	324	October 16, 2020
Split into field nested array JSON Logstash	1	337	January 24, 2019
Split a JSON array into individual documents in Logstash Logstash	8	1435	August 27, 2020
Json array splitting in logstash Logstash	11	5901	May 11, 2017

How to split JSON nested arrays?

Related topics