How use translate in json object?

kar · November 20, 2017, 4:07pm

Hello
This is my json:

{"serial_number":"36307","time":"2017-11-20 08:10:40.340 +03:00","transaciton_id":"","card_hash":"","component":"READER","level":"DEBUG","message":"Request": SrvOpen: SrvOpenRequest: {"TgComName":"/dev/oti"}"}

I need translate my field serial_number according with my yml file.

krotov@test:~$ cat /etc/logstash/dict.yml
"36322": It worked!
So. How i can translate this field?
My config:

input {
tcp {
port => 5044
host => '0.0.0.0'
}
}
filter {
date {
match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
remove_field => [ "timestamp" ]
}
json {
source => "message"
target => "css"
remove_field => "message"
add_field => {"sn" => "%{serial_number}" } ###- this not work. in kibana saw sn: %{serial_number}. ###
}
translate {
field => "serial_number"
destination => "translate"
dictionary_path => "/etc/logstash/dict.yml"
override => "true"
}
}
output {
elasticsearch {
hosts => "127.0.0.1:9200"
index => "mgt"
codec => rubydebug
document_type => "%{[@metadata][type]}"
}

Pls help with this. Sorry for bad language

magnusbaeck · November 21, 2017, 6:48am

###- this not work. in kibana saw sn: %{serial_number}.

That indicates that your document doesn't have a serial_number field, which would also explain why the translate filter isn't working. Show a complete example document, e.g. by using a stdout { codec => rubydebug } output.

kar · November 21, 2017, 7:21am

Thank you. output there:

output received {"event"=>{"css"=>{"card_hash"=>"", "component"=>"PLATFORM", "level"=>"DEBUG", "serial_number"=>"36307", "time"=>"2017-11-20 08:10:40.332 +03:00", "transaciton_id"=>"", "message"=>"Получена команда от АСКП"}, "@timestamp"=>2017-11-21T07:17:23.943Z, "port"=>34116, "@version"=>"1", "host"=>"localhost", "@metdata"=>{"ip_address"=>"127.0.0.1"}, "sn"=>"%{serial_number}"}}

Christian_Dahlqvist · November 21, 2017, 7:22am

If your json document has a serial_number field, you are putting this under css as you have the target parameter set. This means that you would need to specify %{[css][serial_number]}.

kar · November 21, 2017, 7:40am

It worked!
Thank you!
This way exist in documentation? I could not find.

Christian_Dahlqvist · November 21, 2017, 7:45am

Here is an example of how to address nested fields.

system · December 19, 2017, 7:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.