Hello leandrojmp,
Thanks for your support on this. I was able to make some progress with the help of your suggestions. With the new logstash config, I was able to extract only data field, but still encapsulating all the other fields. I want to take all the fields outside the "data" nest
Input message:
{"field1":"value1", "field2":"value2", "field3":"value3", "field4":"value4", "data":{"nested_field1":"nested_value1","nested_field2":"nested_value2", "nested_field3":"nested_value3"}}
Current outpout with the Logstash config below:
{"data":{"nested_field3":"nested_value3","nested_field1":"nested_value1","nested_field2":"nested_value2"}}
Expected output:
{"nested_field3":"nested_value3","nested_field1":"nested_value1","nested_field2":"nested_value2"}
We would not be able to use static field names as the fields under data{} can be dynamic. I would need something like [data][*]
New logstash config:
input {
file {
type => "json"
path => "/home/ranjith/logstash1.log"
start_position => beginning
sincedb_path => "/dev/null"
}
}
filter {
json {
source => "message"
}
prune {
whitelist_names => ["data"]
}
mutate {
remove_field => [ "message" ]
}
}
output {
stdout { codec => json }
}