Logstash Filter || Json Message to Split Fields

deeps · September 16, 2019, 6:52pm

Could someone suggest the best and easy way to split the message into separate fields?

I have incoming messages in json format:
ex: message {"scenarioName":"x","id":"x","type":"x","source":"x","transaction":"x","appId":"x","template":"x","email":"x@blah.com","name":"x","lastName":"x ","data":{"Id":"x","source":"x"},"customData":{}}

and I would like to split each field for building dashboards in Kibana.

Would this put additional load on data nodes / elasticsearch?
Flow is logstash consuming kafka topics and pushing to elasticsearch.

Badger · September 16, 2019, 7:21pm

Since that is JSON I would use a json filter

filter { json { source => "message" remove_field => [ "message" ] } }

That will give you

{
        "data" => {
        "Id" => "x",
    "source" => "x"
},
  "@timestamp" => 2019-09-16T19:19:06.661Z,
    "template" => "x",
 "transaction" => "x",
    "lastName" => "x ",
"scenarioName" => "x",
        "name" => "x",
          "id" => "x",
        "type" => "x",
       "email" => "x@blah.com",
       "appId" => "x",
  "customData" => {},
      "source" => "x"
}

Obviously this parsing is not free, and indexing more fields costs more, but whether it is too expensive is a question only you can answer.

deeps · September 16, 2019, 7:28pm

works perfect, thanks for the quick help! @Badger

system · October 14, 2019, 7:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parse json "message" into separate fields in Kibana Logstash	3	8379	February 15, 2019
Split data in message field to separate fields to display in kibana Logstash	1	991	May 1, 2020
Split nested json array from log Logstash	13	3993	May 18, 2020
How to use the JSON filter correctly? Logstash	14	1912	August 25, 2023
Parse Logstash message field into multiple field Logstash	9	2645	September 13, 2021

Logstash Filter || Json Message to Split Fields

Related topics