HTTP JSON input: one array one document

thopic · June 29, 2021, 9:05am

Hello,

I am using the HTTP JSON input of Filebeat to query some APIs and get some metrics. The problem is for some of them to send a JSON array instead of a JSON object. If I want to make a count of a specific metric, I can't sum the values for each object in the array. I went through all the above documentation, but failed to find a solution to my problem.

Has anyone found a workaround?

Thanks!

legoguy1000 · June 30, 2021, 12:54am

Can u clarify what you're trying to do with the array of data?

thopic · June 30, 2021, 7:15am

Sure!

For example, if the API request returns this type of data :

[{"username": "foo",
  "messages": "x"},
 {"username": "bar",
  "messages": "y"}]

I would like to sum the messages values to get the total number of messages (x+y).

From what I've experimented, this kind of response is processed in two times :

First with foo
Then with bar

I can use response.transforms but only in the scope of one JSON object. So I'm stuck.

legoguy1000 · June 30, 2021, 10:55am

Can you post the config for your httpjson input?

thopic · June 30, 2021, 2:27pm

Hm no I can't because I didn't find any that could work. But I can try to give a more meaningful example.

For example for collecting emails count on a daily basis for Mailcow, I could use this endpoint. But the output will be an array with all the mailboxes details (below is only one mailbox as the API example) :

[
  {
    "max_new_quota": 10737418240,
    "username": "info@doman3.tld",
    "rl": false,
    "is_relayed": 0,
    "name": "Full name",
    "active": "1",
    "domain": "doman3.tld",
    "local_part": "info",
    "quota": 3221225472,
    "attributes": {
      "force_pw_update": "0",
      "tls_enforce_in": "0",
      "tls_enforce_out": "0",
      "sogo_access": "1",
      "mailbox_format": "maildir:",
      "quarantine_notification": "never"
    },
    "quota_used": 0,
    "percent_in_use": 0,
    "messages": 0,          <-- I want to sum this field for all mailboxes
    "spam_aliases": 0,
    "percent_class": "success"
  }
]

Actually I realize there are 2 questions in my post:

How to have access to all the mailboxes details within one response and be able to process this response with processors;
With making use of processors, how could I end up with the sum of all messages count?

Maybe my case is too specific, I can keep searching, but the first step is to know if it is possible to process all json documents within one response?

legoguy1000 · July 1, 2021, 12:52am

to split the response use HTTP JSON input | Filebeat Reference [7.13] | Elastic. The MISP module does, beats/config.yml at master · elastic/beats · GitHub, to split the API response.

response.split:
  target: body.response
  split:
    target: body.Event.Attribute
    keep_parent: true

You'd probably just do

response.split:
  target: body.response
  split:
    target: body
    keep_parent: true

thopic · July 2, 2021, 1:19pm

I thought I've tried to split the response (in a lot of different ways) but this operation only applied to the JSON objects and not to the whole array. Anyway, I will give it another try with what you provided, but in a few days (maybe weeks...) unfortunately. I will keep you posted. Thank you

system · July 30, 2021, 3:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.