Hi there!
My target is very simple (as it seems): I want logstash to receive a json from http, process this json with some scrypt, and bypass it as json next.
I've started with json codec, but I've not found any way to properly access the root of event object, so I could not get the whole json content. So, I saw this How to read JSON input sent to Http input plugin in filter section topic and tried to make config like in the answer.
Let's say I've this config now:
input {
http {
id => "my_plugin_id"
port => 12345
additional_codecs => { }
}
}
filter {
json {
source => "message"
target => "json"
}
#one day here will be the ruby scrypt
}
and this json:
{
"some":
{
"some2":"SOME-AUTOGENERATED-ID1",
"some3":"stat"
},
"user_name":"some4",
"machine_name":"SOME",
"install_ver":"SOME",
"type":"SOME",
"message_desc":"test",
"time":"2002-02-10T16:58:48.000+0200",
"win_ver":"Some version",
"proc_ver":"version"
}
And what I'm trying to do, is using curl to send my json on this port:
curl -H "Content-Type: application/json" -XPOST "localhost:12345" --data-binary @stat2.json
Instead of having the real json in the json field of output, I really have this from logstash:
"json" => {
"install_ver" => "SOME",
"user_name" => "some4",
"machine_name" => "SOME",
"time" => "2002-02-10T16:58:48.000+0200",
"win_ver" => "Windows 10 1703",
"type" => "SOME",
"some" => {
"some2" => "SOME-AUTOGENERATED-ID1",
"some3" => "stat"
},
With => separator between key and value instead of colon. It's definetely not a json.
I've already tried to do
mutate { gsub => ["json", "=>", ':'] }
but it makes no action with json field, only the text or arrays could be here.
I just want to have real json in the "json" field, with colon separators. Of cource I can replace it with the scrypt, but it seems like very common thing, and I'm looking for the native solution.
Could someone here help me, please?