I am parsing a JSON from http_poller. The JSON contains an array of coordinates with 3 numbers in the array. Only the first 2 are the lat and longitude and I would like to discard the 3rd number for the time being. Is it possible to parse a JSON array by the index of the value in the array?
example JSON array
coor[5,6,7]
I would like to set 5 as lat 6 as lon
This is not the proper syntax but similar to what I want to express.
"location" => ["%{[coor][0]}","%{[coor][1]}"]
If you want location to be an object with lat and lon fields, then this would work
mutate { add_field => { "[location][lat]" => "%{[coor][1]}" "[location][lon]" => "%{[coor][0]}" } }
If you really just want an array with two entries I think you have to drop down into ruby
ruby { code => 'event.set("location", event.get("coor")[0..1])' }In addition to Badger's good reply, you can use mutate/copy providing that you create the location field's Array value first - needed because if the value is not a preset array type then the code will assume the nested fields are for a Hash value and you end up with fields "0" and "1" in a location Hash.
input {
generator {
message => '{"coor":[7,8,9]}'
count => 1
}
}
filter {
json {
source => "message"
add_field => {"[location]" => [0,0]}
}
mutate {
copy => {
"[coor][0]" => "[location][0]"
"[coor][1]" => "[location][1]"
}
}
}
output {
stdout { codec => rubydebug {metadata => true } }
}
Gives:
{
"coor" => [
[0] 7,
[1] 8,
[2] 9
],
"sequence" => 0,
"@timestamp" => 2019-04-10T10:21:09.691Z,
"host" => "Elastics-MacBook-Pro.local",
"@version" => "1",
"location" => [
[0] 7,
[1] 8
],
"message" => "{\"coor\":[7,8,9]}"
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.