JSON Array - Logstash

shagun · July 23, 2019, 1:08pm

I am trying to parse the nested JSON.
I tried to use the Split filter for it but it results in a matric form.

{
    "School": {
    	"Details1": [{
    		"Name": "a",
    		"Class": "1"
    	}, {
    		"Name": "b",
    		"Class": "2"
    	}, {
    		"Name": "c",
    		"Class": "3"
    	}, {
    		"Name": "d",
    		"Class": "4"
    	}],

    "Details2": [{
    		"Name": "a",
    		"Class": "1"
    	}, {
    		"Name": "b",
    		"Class": "2"
    	}, {
    		"Name": "c",
    		"Class": "3"
    	}, {
    		"Name": "d",
    		"Class": "4"
    	}]
    }

the result I got is in matric like fields of Details1 name a class 1 with the name a class 1, name b class 2, name c class 3, name d class 4 of Details2

then the name b class 2 of Details1 with the name a class 1, name a class 2, name c class 3 and on... of Details2.

so it is printing basically 4*4 results.

Help me with that

Badger · July 23, 2019, 1:39pm

Do you want Details1 and Details2 to be in separate events?

shagun · July 24, 2019, 4:30am

Yes @Badger I want every "name" and "class" with Details1 and Details2 as separate events.

Badger · July 24, 2019, 12:43pm

Does this work for you?

    ruby {
        code => '
            a = []
            event.get("School").each { |k, v|
                a << v
            }
            event.set("SchoolArray", a)
        '
        remove_field => [ "School" ]
    }
    split { field => "SchoolArray" }

That will get you events that contain

"SchoolArray" => [
    [0] {
         "Name" => "a",
        "Class" => "1"
    },
    [1] {
         "Name" => "b",
        "Class" => "2"
    },
    [2] {
         "Name" => "c",
        "Class" => "3"
    },
    [3] {
         "Name" => "d",
        "Class" => "4"
    }
],

shagun · July 24, 2019, 1:25pm

Thanks, @Badger this will work for only a single array.
what about the fields of Details2, they also come as a separate document with the same name SchoolArray

I need Details1 in a single document and Details2 in another one.
eg:

{
"Details1Array" => [
    [0] {
         "Name" => "a",
        "Class" => "1"
    },
    [1] {
         "Name" => "b",
        "Class" => "2"
    },
    [2] {
         "Name" => "c",
        "Class" => "3"
    },
    [3] {
         "Name" => "d",
        "Class" => "4"
    }
]
}

{
"Details2Array" => [
    [0] {
         "Name" => "a",
        "Class" => "1"
    },
    [1] {
         "Name" => "b",
        "Class" => "2"
    },
    [2] {
         "Name" => "c",
        "Class" => "3"
    },
    [3] {
         "Name" => "d",
        "Class" => "4"
    }
]
}

can you help me with this?

Badger · July 24, 2019, 1:30pm

You could change the ruby filter to

    ruby {
        code => '
            a = []
            event.get("School").each { |k, v|
                a << { k => v }
            }
            event.set("SchoolArray", a)
        '
        remove_field => [ "School" ]
    }

which would get you events like

"SchoolArray" => {
    "Details2" => [
        [0] {
            "Class" => "1",
             "Name" => "a"
        },
        [1] {
            "Class" => "2",
             "Name" => "b"
        },
        [2] {
            "Class" => "3",
             "Name" => "c"
        },
        [3] {
            "Class" => "4",
             "Name" => "d"
        }
    ]
},

system · August 21, 2019, 1:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.