Logstash - Json file input question

Yawn · May 13, 2020, 4:51pm

Hello,

I am trying to load the following from a json file, and I had a couple of questions..

[
{
    "_index":  "index-001",
    "_type":  "xxx",
    "_id":  "m2p2A3EBY37dRdt4jKyq",
    "_score":  1.0,
    "_source":  {
                    "tags":  [
                                 "tag 1",
                                 "tag 2",
                                 "tag 3"
                             ],
                    "eventtime":  "1584817236",
                    "@timestamp":  "2020-03-22T17:06:28.220Z"
                }
},
	{
    "_index":  "index-002",
    "_type":  "xxx",
    "_id":  "m2p2A3EBY37dRdt4jKyz",
    "_score":  1.0,
    "_source":  {
                    "tags":  [
                                 "tag 1",
                                 "tag 2",
                                 "tag 3"
                             ],
                    "eventtime":  "1584817200",
                    "@timestamp":  "2020-03-22T17:06:28.220Z"
                }
}
]

I only need the data in _source, with each item between "" as a field.

Do I need a multiline codec for this? And do I need to do something specific for the "tags" array?

Thanks

Badger · May 13, 2020, 10:11pm

You can read the entire file as a single event using a multiline codec as described here.

Then use a json filter with the target option set to parse the file contents. It will parse nested fields just fine,

Then use a split filter to split the array into multiple events.

Then use a prune filter with a whitelist to discard everything except _source.

Then use a ruby filter as described in the link at the end of that post I linked to move the contents of _source to the top level.

Yawn · May 14, 2020, 4:39pm

Thanks for the pointers. I will try that

system · June 11, 2020, 4:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.