Json array split using logstash

subash · September 24, 2020, 8:16pm

I have a jason array like the below

The split filter is working till sdwan.status

`split { field => "[parsed_collection][collection][sdwan:status]" }

when I try to split till path-status like this split { field => "[parsed_collection][collection][sdwan:status][path-status]" } it is throwing the below error.

"Only String and Array types are splittable"

expecting the output like the below.

parsed_collection.collection.sdwanstatus.path-status.fwd-class fc_nc
parsed_collection.collection.sdwanstatus.path-status.path-handle 6885632
parsed_collection.collection.sdwanstatus.path-status.conn-state up
parsed_collection.collection.sdwanstatus.path-status.remote-wan-link MPLS
parsed_collection.collection.sdwanstatus.path-status.damp-flaps 0
parsed_collection.collection.sdwanstatus.path-status.local-wan-link WAN
parsed_collection.collection.sdwanstatus.path-status.last-flapped 2d12h04m
parsed_collection.collection.sdwanstatus.path-status.remote-wan-link-id 1
parsed_collection.collection.sdwanstatus.path-status.local-wan-link-id 1
parsed_collection.collection.sdwanstatus.path-status.adaptive-monitoring disable
parsed_collection.collection.sdwanstatus.path-status.damp-state disable
parsed_collection.collection.sdwanstatus.path-status.flaps 1

Please help me to split till path-status @Badger

Badger · September 24, 2020, 9:30pm

What does that object look like if you use

output { stdout { codec => rubydebug } }

subash · September 24, 2020, 11:18pm

@Badger The object looks like the below

 "parsed_collection" => {
        "collection" => {
            "sdwan:status" => [
                [0] {
                    "path-status" => [
                        [0] {
                             "remote-wan-link-id" => 1,
                            "adaptive-monitoring" => "disable",
                                          "flaps" => 8,
                                     "damp-flaps" => 0,
                                     "conn-state" => "up",
                                    "path-handle" => 69888,
                              "local-wan-link-id" => 1,
                                   "last-flapped" => "5d03h01m",
                                "remote-wan-link" => "WAN",
                                 "local-wan-link" => "WAN",
                                      "fwd-class" => "fc_nc",
                                     "damp-state" => "disable"
                        }
                    ],
                      "site-name" => "POD3-Controller1"
                },
                [1] {
                    "path-status" => [
                        [0] {
                             "remote-wan-link-id" => 1,
                            "adaptive-monitoring" => "disable",
                                          "flaps" => 1,
                                     "damp-flaps" => 0,
                                     "conn-state" => "up",
                                    "path-handle" => 6885632,
                              "local-wan-link-id" => 1,
                                   "last-flapped" => "2d15h44m",
                                "remote-wan-link" => "MPLS",
                                 "local-wan-link" => "WAN",
                                      "fwd-class" => "fc_nc",
                                     "damp-state" => "disable"
                        },
                        [1] {
                             "remote-wan-link-id" => 2,
                            "adaptive-monitoring" => "disable",
                                          "flaps" => 1,
                                     "damp-flaps" => 0,
                                     "conn-state" => "up",
                                    "path-handle" => 6885888,
                              "local-wan-link-id" => 1,
                                   "last-flapped" => "2d15h44m",
                                "remote-wan-link" => "INT",
                                 "local-wan-link" => "WAN",
                                      "fwd-class" => "fc_nc",
                                     "damp-state" => "disable"
                        }
                    ],
                      "site-name" => "ind-uat-matrix-cgw1"
                },
                [2] {
                    "path-status" => [
                        [0] {
                             "remote-wan-link-id" => 1,
                            "adaptive-monitoring" => "disable",
                                          "flaps" => 1,
                                     "damp-flaps" => 0,
                                     "conn-state" => "up",
                                    "path-handle" => 6951168,
                              "local-wan-link-id" => 1,
                                   "last-flapped" => "2d10h43m",
                                "remote-wan-link" => "MPLS",
                                 "local-wan-link" => "WAN",
                                      "fwd-class" => "fc_nc",
                                     "damp-state" => "disable"
                        },
                        [1] {
                             "remote-wan-link-id" => 2,
                            "adaptive-monitoring" => "disable",
                                          "flaps" => 1,
                                     "damp-flaps" => 0,
                                     "conn-state" => "up",
                                    "path-handle" => 6951424,
                              "local-wan-link-id" => 1,
                                   "last-flapped" => "2d10h43m",
                                "remote-wan-link" => "INT",
                                 "local-wan-link" => "WAN",
                                      "fwd-class" => "fc_nc",
                                     "damp-state" => "disable"
                        }
                    ],
                      "site-name" => "ind-uat-matrix-cgw2"
                }
            ]
        }
    }

Badger · September 25, 2020, 12:19am

subash:

"parsed_collection" => {
        "collection" => {
            "sdwan:status" => [
                [0] {
                    "path-status" => [
                        [0] {
                             "remote-wan-link-id" => 1,

So [sdwan:status] is an array, and for each entry in that array, the field [path-status] is also an array. I have not tested anything, but I think you will need two split filters.

split { field => "[parsed_collection][collection][sdwan:status]" }
split { field => "[parsed_collection][collection][sdwan:status][path-status]" }

kibana does not always display object structures within fields very well. It is just not what the tool is intended to do. Looking at the rubydebug output from logstash, or the raw JSON in the _source field from elasticsearch will give a better presentation of the structure.

system · October 23, 2020, 12:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.