Logstash manipulate json object before indexing to ES

davehatma · July 10, 2020, 3:17pm

A Kafka input plugin is getting messages in json format and being parsed by the json filter. One of the root keys -- transaction_details -- can contain a very large number of fields that we don't want to flatten into discreet fields. Would like to be able to convert the transaction_details root key from an object to a string that can be mapped as a text field and thus searchable as text but not selectable as a field in Kibana. We want to keep all the other json keys as they are when parsed. I can't seem to find a way (other than some kind of regular expression that seems very complicated and probably above my pay grade) to do this.

Sharing any thoughts would be most appreciated.

Thanks

Jenni · July 10, 2020, 4:00pm

You could encode that as JSON again after parsing it. Or maybe mapping it as "flattened" in ES would make sense?

ruby {
    init => "require 'json'"
    code => "event.set('transaction_details', JSON.generate(event.get('transaction_details')))"
  }

fadjar340 · July 12, 2020, 8:46am

Can you paste some samples data from kafka input ?

system · August 9, 2020, 8:46am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Transforming objects with key and value fields into simple fields Logstash	3	400	May 13, 2020
Json object field with name "tags" get converted to array after logstash mutate Logstash	4	1348	July 15, 2019
Kafka input json Logstash	2	3909	July 6, 2017
JSON nested field loosing formating when referenced in add_field Logstash	3	413	October 11, 2018
Read column of datatype "JSON" from database using Logstash Logstash	1	251	July 1, 2022

Logstash manipulate json object before indexing to ES

Related Topics