Logstash nested JSON Array, split and parse on nested JSON without using Ruby code

How to split separate field on nested JSON Array.

Can someone kindly help with this? Thank you.

Below is the nested JSON array

Sample JSON Code

"http": {
  "request": {
    "headers": [
   {
     "Name": "Host",
     "Value": "example.com"
    },
    {
      "Name": "Connection",
      "Value": "keep-alive"
    }
   ]
  }
}

Sample My Code

split {
      field => "[http][request][headers]"
    }
    mutate {
      add_field => {
        "[http][request][headers][%{[http][request][headers][Name]}]" => "%{[http][request][headers][Value]}"
    }
      remove_field => [
         "[http][request][headers][Name]",
         "[http][request][headers][Value]"
     ]
  }

After the code output is getting only one field

Hello @yelinaung

If we consider below as an example record :

{"timestamp":"2025-08-13T06:40:00Z","http":{"request":{"headers":[{"Name":"Host","Value":"my.demo.net"},{"Name":"Connection","Value":"keep-alive"},{"Name":"Accept","Value":""},{"Name":"platform","Value":"raspberry-pi"}]}}}

Tried using below filter to map 4 fields to 4 values :

filter {
  mutate {
    add_field => { "message" => "%{[event][original]}" }
  }
  if [http][request][headers] {
    mutate {
      add_field => {
        "Host" => "%{[http][request][headers][0][Value]}"
        "Connection" => "%{[http][request][headers][1][Value]}"
        "Accept" => "%{[http][request][headers][2][Value]}"
        "platform" => "%{[http][request][headers][3][Value]}"
      }
    }
  }
  mutate {
    remove_field => ["http", "timestamp", "event", "log", "@version"]
  }
}

image1194×102 6.99 KB

Thanks!!

Thanks for your instruction.