I have a JSON log of my application which contains elements in a nested array form, here is the sample of it:-
{
"msgs": [
{
"ts": "2017-09-04T07:07:46.37098Z",
"tid": 25,
"lvl": "Information",
"cat": "NCR.CP.GatewayService.TransactionProcessingEngine",
"msg": {
"cnt": "Resolution performed."
},
"data": {
"Response": {
"Content": {
"Company": {
"Number": 10031,
"Name": "Sprouts"
},
"NodeId": 0,
"StatusCode": 200
},
"ElapsedSeconds": 0.7458587
}
},
{
"ts": "2017-09-04T07:07:49.8951815Z",
"tid": 25,
"lvl": "Information",
"cat": "NCR.CP.GatewayService.TransactionProcessingEngine",
"msg": {
"cnt": "RSP"
},
"data": {
"ResponseTransaction": {
"Version": null,
"Server": {
"LogicalDatacenterId": 0,
"PhysicalDatacenterId": 0,
"TransactionId": 10909,
"UniqueId": "G00008D4F35EDADCD368",
"UniversalTimestamp": "2017-09-04T07:07:45.6249373Z"
},
"State": null,
"Tenant": {
"CompanyNumber": 10031,
"StoreNumber": 1,
"HostType": {
"Code": 7,
"Name": "ProdConcordHC"
},
},
"Terminal": {
"EMVCapabilities": "Contact, ContactlessDisabled",
"Type": null,
"SerialNumber": null,
"EMVKernelVersion": null,
"EMVIdentifierCAPK": null,
"PINCapabilities": null
},
"PointOfSale": {
"CashierNumber": "1",
"ReferenceNumber": null
},
"LocalTimestamp": "2017-06-16T14:58:57",
"LocalTimeZoneOffset": null
},
"Request": {
"MessageType": null,
"EntryMode": null,
"CashbackAmount": 0.00,
"AllowPartialAuthorization": true,
"TenderType": null,
"TransactionType": null,
"ReversalType": null,
"ReferenceId": null,
"AuditId": null,
"AccountNumberFirstSix": null,
"AccountNumberLastFour": null,
"AccountNumberLength": null,
"CardType": null,
"PreviousTransaction": null,
"Card": null,
"Check": null,
"Identification": null,
"Currency": null,
"Amount": null,
"TipAmount": null,
"Host": null
},
"Response": {
"ErrorCode": 96,
"ErrorMessage": "E2G",
"IsApproved": false,
"ResponseCode": "96",
"HostResponseCode": "E2G",
"HostResponseMessage": "EDIT ER:OPT DATA",
"ApprovedAmount": 0.00,
"ApprovedCashbackAmount": 0.0,
"IsApprovedLocally": false,
"AuthorizationCode": null,
"ResponseMessage": null,
"BalanceAmount": null,
"Check": null,
"Currency": null,
"Card": null,
"Host": null
}]
},
"Queue": null,
"SensitiveData": null,
"PreviousTransaction": null,
"Trace": null
}
}
},
}],
"RequestId": "G00008D4F35EDADCD368",
"RequestPath": "/Processor",
"Action": "http://servereps.mtxeps.com/TransactionService/SendTransaction",
"Contract": "NCR.CP.GatewayService.IProcessorTransactionContract",
"OperationName": "SendTransaction",
"MethodName": "SendTransaction"
}
Here "msgs" element contains nested array object into it, so to create field of every elements inside the array object i had followed the mutate and split approach both:-
Mutate filter:-
mutate {
add_field => {
"ts" => "%{[doc][msgs][0][ts]}"
"tid1" => "%{[doc][msgs][0][tid]}"
"eid1" => "%{[doc][msgs][0][eid]}"
"lvl1" => "%{[doc][msgs][0][lvl]}"
"cat1" => "%{[doc][msgs][0][cat]}"
"msg1" => "%{[doc][msgs][0][msg]}"
"data" => "%{[doc][msgs][1][data]}"
"actual-message" =>"%{[doc][msgs][3][data][Trace]}"
"error" =>"%{[doc][msgs][5][ex][exs][0][ec]}"
"error-type" =>"%{[doc][msgs][5][ex][exs][0][typ]}"
}
}
This approach is static as my logs is occurring dynamically i.e position of error is not fixed as it may come in 6th array element or may be at 7th or 8th, so i ignored this approach and followed the split filter approach:-
Split Filter in logstash config:-1:
input{
file{
path=>"C:\Logs\GatewayService\GatewayService-Processor.Transactions-20170830.slog"
}
}
split{
field=>"msg"
}
}
output{
elasticsearch {
hosts => ["localhost:9200"]
index => "g_index"}
}
now it is showing error as:
[2017-09-19T17:40:07,557][WARN ][logstash.filters.split ] Only String and Array types are splittable. field:msg is of type = NilClass
so how should i able to retrieve every element in this JSON to be a field so as to visualize in kibana by applying metrics in dashboard.