Json split multiple event in Logstash Pipeline

Purushottam22 · March 30, 2022, 11:56am

Hi All,

I am trying to ingest the python script output using exec input plugin filter but i am facing issue while performing split operation on message. I am not sure how can I split into fields, below sample output which is receiving under message :
Output/Message field
{"required_role":"OPERATOR","user_role":"DESIGNER","accepted":true,"request_url":"/catalog_service_settings","rest_params":{},"original_time":637841834485391604,"severity":"INFO","audit_time":637841834485391604}
{"required_role":"OPERATOR","user_role":"DESIGNER","accepted":true,"request_url":"/catalog_service_settings","rest_params":{},"original_time":637841839892273074,"severity":"INFO","audit_time":637841839892273074}
{"required_role":"OPERATOR","user_role":"DESIGNER","accepted":true,"request_url":"/catalog_service_settings","rest_params":{},"original_time":637841840485632613,"severity":"INFO","audit_time":637841840485632613}
{"required_role":"OPERATOR","user_role":"DESIGNER","accepted":true,"request_url":"/catalog_service_settings","rest_params":{},"original_time":637841845977496183,"severity":"INFO","audit_time":637841845977496183}
{"required_role":"OPERATOR","user_role":"DESIGNER","accepted":true,"request_url":"/catalog_service_settings","rest_params":{},"original_time":637841846485656787,"severity":"INFO","audit_time":637841846485656787}

Current Logstash Pipeline :

input {
exec {
command => "python /usr/share/logstash/scripts/qlik_2.py"
interval => 30
}
}

filter {
json {
source => "message"
skip_on_invalid_json => true
tag_on_failure => ["failed_json"]
}
split {
field => "message"
}
}

Could you please help me with the same.
@Badger @elastic_team Kindly assist how can ingest data in respective fields in index.

leandrojmp · March 31, 2022, 2:38am

Hello,

Please do not ping people that are not part of the thread.

It is not clear what you want to do and what the issue is. What is your output?

If I understand correctly you want to create a new event for each one of the json documents in the output of the exec input plugin?

You should put the split filter before the json filter, try that and see if it works.

Purushottam22 · March 31, 2022, 10:18am

Hello,

Now the output is getting split into new documents but Json filter is not working as I am not able to ingest log in key value format in kibana.

Can you please help me how can I resolved the same

leandrojmp · March 31, 2022, 1:05pm

You need to share the output you are having, also share your updated pipeline config.

system · April 28, 2022, 1:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Split on multiple fields logstash. Is it possible? Logstash	5	2156	July 6, 2017
Unable to split the data in message field Logstash	11	459	March 28, 2023
Split Json Array Objects Logstash	9	1778	April 15, 2020
Split field in a json event Logstash	2	736	July 6, 2017
How to split array json into multiple fields Logstash	4	1402	April 10, 2021

Json split multiple event in Logstash Pipeline

Related topics