Hello ,
I am using http_poller logstash input plugin to poll rest API ( JIRA ) .
When i poll it , these are the sample fields
maxresults
startAt
tags
issues
Fields under issues
issues
{
fields
{
emailadress
key
name }}
my filter
filter {
json
{
source => "issues"
}
mutate
{
add_field => { "username" => "%"{[fields][name]} }}
} }
But i am not able to parse the value . Could someone help
add_field => { "username" => [issues][fields][name]}
Try that.
If [issues] contains a string of JSON then that json filter should result in there being a field called [fields][name] which you would reference using
mutate { add_field => { "username" => "%{[fields][name]}" } }Thanks ,
its not working . its not parsing instead its adding the field name = %{[fields][assignee][name]}
below is my json content
"_index": "index_name",
"_type": "_doc",
"_id": "fCIYF3QBw3RYG9-rSeAc",
"_version": 1,
"_score": null,
"_source": {
"expand": "names,schema",
"total": 1,
"startAt": 0,
"issues": [
{
"expand": "operations,versionedRepresentations,editmeta,changelog,renderedFields",
"key": "test-1234",
"id": "132468",
"self": "http://dns/rest/api/2/issue/132468",
"fields": {
"issuetype": {
"subtask": false,
"name": "Task",
"self": "http://dns/rest/api/2/issuetype/3",
"id": "3",
},
"assignee": {
"name": "fred",
}
]
}}
Below are the filter tried
“username" => "%{[fields][assignee][name]}" or "%{[issues][fields][assignee][name]}"
“key” => "%{[fields][key]}" or "%{[issues][fields][key]}"
Index fields available already
issues.fields.assignee.name
issues.fields.key
[issues] is an array, so it would be %{[issues][0][fields][assignee][name]}
1 Like
Thanks , but its not working . Logstash is going downthanks , let me try that
it works , thanks a lot but have another question
There is another array inside of the issues
"issues": [
{
"fields": {
"app": [
{
value: test
}
]
}
]
How do i access the "app" field which is a nested array ? Thanks in advance
That would be
[issues][0][fields][app][0][value]Thanks , was trying the same :)
it works , thanks . I have an another question though
i am trying to remove the fields
This is my filter
f
filter {
mutate {
add_field => {
"status" => "%{[issues][0][fields][status][name]}"
}
}
ruby {
code => '
event.to_hash.each { |k, v|
if v == "" or v.to_s.start_with?("%{[issues]")
event.remove(k)
end
}
but its not working , is this right ? i am trying to remove the field if the value is not updated
I would have expected that to work.
Thanks for the response . Below is the error
Error:
[2020-08-24T15:38:43,990][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"input\", \"filter\", \"output\" at line 51, column 1 (byte 1556) after ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:58:in `compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:66:in `compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:28:in `block in compile_sources'", "org/jruby/RubyArray.java:2577:in `map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:27:in `compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:181:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:67:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:44:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:356:in `block in converge_state'"]}
Filter:
filter {
mutate {
add_field => {
"status" => "%{[issues][0][fields][status][name]}"
}
}
ruby {
code => '
event.to_hash.each { |k, v|
if v == "" or v.to_s.start_with?("%{[issues]")
event.remove(k)
end
}
'
}
}
}
You seem to have an extra } at the end of that configuration.
hi , that's to close the filter
filter {
}
No, it is not. If you format your filter section like this:
filter {
mutate { add_field => { "status" => "%{[issues][0][fields][status][name]}" } }
ruby {
code => '
event.to_hash.each { |k, v|
if v == "" or v.to_s.start_with?("%{[issues]")
event.remove(k)
end
}
'
}
}
}
you will see there is an extra }
is this required to have if v == "" or v.to_s.start_with?("%**{**[issues]") **braces** before issues . because i checked again , there is no extra braces
There are 3 open braces in ruby code and 1 to close filter ... total 7 open braces and 7 closed ones.. sorry if i am making wrong statement here .
filter {
mutate { add_field => { "status" => "%{[issues][0][fields][status][name]}" } }
ruby {
code => '
event.to_hash.each { |k, v|
if v == "" or v.to_s.start_with?("%{[issues]")
event.remove(k)
end
}
'
}
}
}
Is this right ? still its not working
No, it is not right, that's the point. Delete the final }
ah .. silly of me ..thanks ..