Json object field with name "tags" get converted to array after logstash mutate

Shabin_Shajahan · June 14, 2019, 3:55pm

I have a json in the following format. I am reading this from kafka in logstash.
{"id":"8eba168be707e85d","kind":"PRODUCER","name":"scheduler","timestamp":1560526848185066,"duration":23645,"tags":{"class":"TestJob","method":"execute"}}

If I use the mutate filter plugin, the data inserted into elasticsearch will convert the "tags" field from object to array.

This is my current config.

input
 { 
   kafka { 
         bootstrap_servers => "localhost:9092"
         topics => ["log-topic-new"] 
         codec => json
      } 
} 
filter {	
	mutate {
		add_field => {"timestamp_millis"=>"%{timestamp}"}
	}
	mutate {
		gsub => ["timestamp_millis", ".{3}$", ""]
  }
  mutate {
    convert => {
      "timestamp_millis" => "integer"
    }
  }
}
  output {
	 #--------Debugging in console -------------------
	  stdout { codec => rubydebug } 
	 #--------Sending logs to es index  ------------------- 
	  elasticsearch { 
			hosts =>"192.168.45.43:9200"
			manage_template => false
			document_type => span
			index => "span-%{+YYYY-MM-dd}"
	   }
	 
}

The data in ES

_source": {
	"timestamp_millis": 1560526848185,
    "kind": "PRODUCER",
    "tags": [
        [
            "class",
            "TestJob"
        ],
        [
            "method",
            "execute"
        ]
    ],
    "duration": 23645,
    "name": "scheduler",
    "id": "477811021df4dadc",
    "timestamp": 1560526848185066
}

But if the mutate filter plugin is removed, the tags data is inserted as object itself.

yaauie · June 14, 2019, 11:37pm

In Logstash, the top-level tags field has long been special-cased as an array and typically treated in plugins as an unordered set.

The following untested ruby filter, inserted as your first filter, should move anytags with a Hash (map) value out of the way and save it as _tags.

filter {
  ruby {
    code => "
      tags = event.get('tags')
      if tags.kind_of?(Hash)
        event.set('_tags', tags)
        event.remove('tags')
      end
    "
  }
}

Shabin_Shajahan · June 15, 2019, 9:18am

This will change my "tags" field to "_tags" right. I don't want to rename my field to "_tags" as the data retrieval from elasticsearch is not done by me.
So there is no way to write the tags field as it is to elasticsearch?

I see an open issue already present in github.

Shabin_Shajahan · June 17, 2019, 8:44am

Found that this is fixed in the latest version in this issue description. I was using 6.5.1. Now I switched to the latest 7.1.1 and it is working as expected. The tags field is preserved as it is.
It would be better if was available in the older versions as well.

Thanks @yaauie for the reply.

system · July 15, 2019, 8:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash Filter Json To Array of Json Logstash	8	1870	June 13, 2019
Logstash parsing in JSON Logstash	12	608	October 28, 2020
Dealing with logstash conf file for json string array Logstash	5	541	August 13, 2018
Field named "tags" in logstash event causing problem Logstash	2	460	July 20, 2017
Convert a Json array of object ([{},{},{}] - this format) to {[],[],[]} Logstash	2	1595	December 19, 2018

Json object field with name "tags" get converted to array after logstash mutate

Related Topics