Json array split using logstash

subash · September 24, 2020, 8:16pm

I have a jason array like the below

The split filter is working till sdwan.status

`split { field => "[parsed_collection][collection][sdwan:status]" }

when I try to split till path-status like this split { field => "[parsed_collection][collection][sdwan:status][path-status]" } it is throwing the below error.

"Only String and Array types are splittable"

expecting the output like the below.

parsed_collection.collection.sdwanstatus.path-status.fwd-class fc_nc
parsed_collection.collection.sdwanstatus.path-status.path-handle 6885632
parsed_collection.collection.sdwanstatus.path-status.conn-state up
parsed_collection.collection.sdwanstatus.path-status.remote-wan-link MPLS
parsed_collection.collection.sdwanstatus.path-status.damp-flaps 0
parsed_collection.collection.sdwanstatus.path-status.local-wan-link WAN
parsed_collection.collection.sdwanstatus.path-status.last-flapped 2d12h04m
parsed_collection.collection.sdwanstatus.path-status.remote-wan-link-id 1
parsed_collection.collection.sdwanstatus.path-status.local-wan-link-id 1
parsed_collection.collection.sdwanstatus.path-status.adaptive-monitoring disable
parsed_collection.collection.sdwanstatus.path-status.damp-state disable
parsed_collection.collection.sdwanstatus.path-status.flaps 1

Please help me to split till path-status @Badger

Badger · September 24, 2020, 9:30pm

What does that object look like if you use

output { stdout { codec => rubydebug } }

subash · September 24, 2020, 11:18pm

@Badger The object looks like the below

 "parsed_collection" => {
        "collection" => {
            "sdwan:status" => [
                [0] {
                    "path-status" => [
                        [0] {
                             "remote-wan-link-id" => 1,
                            "adaptive-monitoring" => "disable",
                                          "flaps" => 8,
                                     "damp-flaps" => 0,
                                     "conn-state" => "up",
                                    "path-handle" => 69888,
                              "local-wan-link-id" => 1,
                                   "last-flapped" => "5d03h01m",
                                "remote-wan-link" => "WAN",
                                 "local-wan-link" => "WAN",
                                      "fwd-class" => "fc_nc",
                                     "damp-state" => "disable"
                        }
                    ],
                      "site-name" => "POD3-Controller1"
                },
                [1] {
                    "path-status" => [
                        [0] {
                             "remote-wan-link-id" => 1,
                            "adaptive-monitoring" => "disable",
                                          "flaps" => 1,
                                     "damp-flaps" => 0,
                                     "conn-state" => "up",
                                    "path-handle" => 6885632,
                              "local-wan-link-id" => 1,
                                   "last-flapped" => "2d15h44m",
                                "remote-wan-link" => "MPLS",
                                 "local-wan-link" => "WAN",
                                      "fwd-class" => "fc_nc",
                                     "damp-state" => "disable"
                        },
                        [1] {
                             "remote-wan-link-id" => 2,
                            "adaptive-monitoring" => "disable",
                                          "flaps" => 1,
                                     "damp-flaps" => 0,
                                     "conn-state" => "up",
                                    "path-handle" => 6885888,
                              "local-wan-link-id" => 1,
                                   "last-flapped" => "2d15h44m",
                                "remote-wan-link" => "INT",
                                 "local-wan-link" => "WAN",
                                      "fwd-class" => "fc_nc",
                                     "damp-state" => "disable"
                        }
                    ],
                      "site-name" => "ind-uat-matrix-cgw1"
                },
                [2] {
                    "path-status" => [
                        [0] {
                             "remote-wan-link-id" => 1,
                            "adaptive-monitoring" => "disable",
                                          "flaps" => 1,
                                     "damp-flaps" => 0,
                                     "conn-state" => "up",
                                    "path-handle" => 6951168,
                              "local-wan-link-id" => 1,
                                   "last-flapped" => "2d10h43m",
                                "remote-wan-link" => "MPLS",
                                 "local-wan-link" => "WAN",
                                      "fwd-class" => "fc_nc",
                                     "damp-state" => "disable"
                        },
                        [1] {
                             "remote-wan-link-id" => 2,
                            "adaptive-monitoring" => "disable",
                                          "flaps" => 1,
                                     "damp-flaps" => 0,
                                     "conn-state" => "up",
                                    "path-handle" => 6951424,
                              "local-wan-link-id" => 1,
                                   "last-flapped" => "2d10h43m",
                                "remote-wan-link" => "INT",
                                 "local-wan-link" => "WAN",
                                      "fwd-class" => "fc_nc",
                                     "damp-state" => "disable"
                        }
                    ],
                      "site-name" => "ind-uat-matrix-cgw2"
                }
            ]
        }
    }

Badger · September 25, 2020, 12:19am

subash:

"parsed_collection" => {
        "collection" => {
            "sdwan:status" => [
                [0] {
                    "path-status" => [
                        [0] {
                             "remote-wan-link-id" => 1,

So [sdwan:status] is an array, and for each entry in that array, the field [path-status] is also an array. I have not tested anything, but I think you will need two split filters.

split { field => "[parsed_collection][collection][sdwan:status]" }
split { field => "[parsed_collection][collection][sdwan:status][path-status]" }

kibana does not always display object structures within fields very well. It is just not what the tool is intended to do. Looking at the rubydebug output from logstash, or the raw JSON in the _source field from elasticsearch will give a better presentation of the structure.

system · October 23, 2020, 12:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Split Filter Parse Failure - Only String and Array types are splittable Logstash	5	1250	March 12, 2020
Only String and Array types are splittable. field:splitedJson is of type = NilClass Logstash	3	6209	August 21, 2019
Only String and Array types are splittable. field:[field][Name] is of type = Hash Logstash	2	3432	February 27, 2017
Splitting JSON arrays Logstash	3	297	March 26, 2019
How to split a JSON array inside an object Logstash	2	9256	July 6, 2017

Json array split using logstash

Related topics