Logstash json-filter - Wildchar to fetch fields

New to Logstash, I am using logstash JSON filter plugin.

JSON payloads look like [each line new log entry]

{ "RequestOne": { "Header": { "MessageID": "41019e6b-e2da-4303-88df-859765d0fbe3","CreationDateTime": "2019-01-28T12:29:42.106Z",  "SenderParty": "soapUI" },   "Data":{ <other data>}  } }
{ "RequestTwo": { "Header": { "MessageID": "41019e6b-e2da-4303-88df-859765d0fbe3","CreationDateTime": "2019-01-28T12:29:42.106Z",  "SenderParty": "soapUI" },   "Data":{ <other data>}  } }
{ "RequestThree": { "Header": { "MessageID": "41019e6b-e2da-4303-88df-859765d0fbe3", "CreationDateTime": "2019-01-28T12:29:42.106Z", "SenderParty": "soapUI" },     "Data":{ <other data>}  } }

JSON Filter config look like

json{
        source => "data"
        target => "parsed_json"
}

mutate{
        add_field => {
            "MessageID" => "%{[parsed_json][RequestOne][Header][MessageID]}"
            }
        }

With this i am able to create field MessageID with proper details. But i want to have it generic for so it should not look for RequestOne and to have something like this

%{[parsed_json][*][Header][MessageID]} 

using wildchar.

Is there any way to achieve this?

Not that I know of, so you may need to use a ruby filter.

I see, time to learn ruby...

[ Anyone any handy code which can be used ]

    ruby {
        code => '
            event.get("[parsed_json]").each { |k, v|
                event.set("messageId", v["Header"]["MessageID"])
            }
        '
    }

Thanks Badger!

I achieved it like this, Your approach looks much better

ruby {
    code => "
				require 'json'
				hash = JSON.parse(event.get('parsed_json'))
				event.set('MessageID',hash.values[0]['Header']['MessageID'])
    "
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.