Logstash config for splitting array into new events

00a45f9a00ca005db54c · November 26, 2018, 1:17pm

Hi there. I'm trying to split array into separate log files. Input is a JSON like this

{
  "data": [
    {
      "field1": "val1",
      "field2": "val2"
    },
    {
      "field1": "val1",
      "field2": "val2"
    },
    ...
  ]
}

And i use conf like this:

    input {
      file {
        path => [ "/usr/local/etc/logstash/multi/*.json"]
        start_position => "beginning"
        sincedb_path => "/dev/null"
        type => "kitlog-multi"
      }
    }
 
filter {
  json {
    source => "message"
    target => "message"
  }
  if [type] == "kitlog-multi"{
    split {
      field => "[data]"
    }
  }
}
 
output {
  if [type] == "kitlog-multi" {
    elasticsearch {
      hosts => ["127.0.0.1:9200"] 
      index => "kitlog-multi"
    }
  }
  
  stdout {}
}

But all objects from "data" are coming to ES as a single log anyways, they are just like comma-separated
message.data.field1 = value1, value2, ....
message.data.field2 = value1, value2, ...

Any ideas why it is not splitting correctly? Thanks in advance

Eniqmatic · November 26, 2018, 3:39pm

I mean to me this is expected behaviour, in your example you have two fields with the same name in the same object? You have two message.data.field1 so how do you expect it to behave?

system · December 24, 2018, 3:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Split a json array and then split on each object Logstash	8	1722	November 1, 2021
Splitting an array of objects using Logstash Logstash	3	122	January 8, 2024
Split Json Array Objects Logstash	9	1778	April 15, 2020
Logstash - split array into individual events Logstash	7	6363	June 16, 2019
How to split nested fields into separate events? Logstash	3	1931	July 6, 2017

Logstash config for splitting array into new events

Related topics