Ingest JSON data into elasticsearch using logstash

Elastic Stack Logstash
1

HI All,

I have a complicated json data to ingest into elasticsearch, need your suggestion to achieve this.
Here is my data format,

<result_set elemtype="list">
<dataset>
<device>/api/device/13766</device>
<field_names elemtype="list">
<v>collection_time</v>
<v>d_check</v>
</field_names>
<data elemtype="list">
<data elemtype="list">
<v>1618644420</v>
<v>1</v>
</data>
</data>
</dataset>
<dataset>
<device>/api/device/13769</device>
<field_names elemtype="list">
<v>collection_time</v>
<v>d_check</v>
</field_names>
<data elemtype="list">
<data elemtype="list">
<v>1618644420</v>
<v>1</v>
</data>
</data>
</dataset>
<dataset>
<device>/api/device/13772</device>
<field_names elemtype="list">
<v>collection_time</v>
<v>d_check</v>
</field_names>
<data elemtype="list">
<data elemtype="list">
<v>1618644420</v>
<v>1</v>
</data>
</data>
</dataset>
<dataset>
<device>/api/device/13773</device>
<field_names elemtype="list">
<v>collection_time</v>
<v>d_check</v>
</field_names>
<data elemtype="list">
<data elemtype="list">
<v>1618644420</v>
<v>1</v>
</data>
</data>
</dataset>

Here for my device ID the data is proper ist coming like device : /api/device/13769

When it comes for he collection time and avilability the data is like fieldname itself coming as a field and the data in a separate field

<field_names elemtype="list">
<v>collection_time</v>
<v>d_check</v>
</field_names>
<data elemtype="list">
<data elemtype="list">
<v>1618644420</v>
<v>1</v>

How i want it to be indexed is

device : /api/device/13769
collection_time : 1618644420
d_check : 1

Please help to proceed with this.

Thanks
Gautham

2

That's not JSON. That's XML.

3

@jasenj1 Sorry, here is the json.

"result_set": [
        {
            "device": "/api/device/13766",
            "field_names": [
                "collection_time",
                "d_check"
            ],
            "data": [
                [
                    "1618645620",
                    "1"
                ]
            ]
        },
        {
            "device": "/api/device/13769",
            "field_names": [
                "collection_time",
                "d_check"
            ],
            "data": [
                [
                    "1618645620",
                    "1"
                ]
            ]
        },

Thanks
Gautham

4

Any time the field names are variables you need to use ruby. For the JSON you show it would be

    ruby {
        code => '
            rs = event.get("result_set")
            newRs = []
            rs.each_index { |x|
                h = rs[x]
                h["data"][0].each_index { |y|
                    h[h["field_names"][y]] = h["data"][0][y]
                }
                h.delete("data")
                h.delete("field_names")
                newRs << h
            }
            event.set("result_set", newRs)
        '
    }
5

Thank you @Badger It worked perfectly.

Thanks
Gauti

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.