Json parsing in Logstash - is this possible?

dmccuk · September 11, 2018, 4:13pm

Hi,

I've been attempting to parse this json output with logstash and I'm not having any success. Can anyone tell me if it's actually possible:

{  
   "threadName":"threadX",
   "processName":"processX",
   "timestamp":"2018-09-10T15:24:42.696Z",
   "metrics":[  
      {  
         "name":"heap_used",
         "metricParams":[  
            {  
               "name":"value",
               "value":3
            },
            {  
               "name":"min",
               "value":1
            },
            {  
               "name":"max",
               "value":3
            }
         ]
      },
      {  
         "name":"thread_count_peak",
         "metricParams":[  
            {  
               "name":"value",
               "value":15.716311951405892
            },
            {  
               "name":"min",
               "value":0.30511587981085886
            },
            {  
               "name":"max",
               "value":25.26421282572334
            }
         ]
      }
   ],
   "tags":[  
      "jvm",
      "someTag"
   ]
}

I've tried to parse it with multiple nested variations like this:

filter {
json {
source => "metrics"
}
json {
source => "[metrics][metricParams]"
}
}

The output in Kibana:

> "timestamp": "2018-09-10T15:24:42.898Z",
>     "threadName": "threadX",
>     "offset": 415,
>     "metrics": [
>       {
>         "name": "heap_used",
>         "metricParams": [
>           {
>             "name": "value",
>             "value": 69
>           },
>           {
>             "name": "min",
>             "value": 68
>           },
>           {
>             "name": "max",
>             "value": 70
>           }
>         ]
>       },
>       {
>         "name": "thread_count_peak",
>         "metricParams": [
>           {
>             "name": "value",
>             "value": 57.15107690276084
>           },
>           {
>             "name": "min",
>             "value": 46.029165860485556
>           },
>           {
>             "name": "max",
>             "value": 110.2139999913411
>           }
>         ]
>       }
>     ],
>     "@version": "1",
>     "process123": "processX"
>   },
>   "fields": {
>     "@timestamp": [
>       "2018-09-11T16:10:18.133Z"
>     ]
>   },

I've attempted to follow the docs but I'm definately not getting it. (unless it's not possible?)

Thanks for you help.

magnusbaeck · September 11, 2018, 6:43pm

Everything has parsed just fine. The problem is that Kibana displays arrays of objects very poorly.

dmccuk · September 12, 2018, 3:15pm

Thanks for confirming @magnusbaeck.

When i went back through my setup I found I was already parsing the json at source in filebeat which complicated what I was trying to achieve.

system · October 10, 2018, 3:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.