Logstash Nested JSON Parsing and Transforming data

zx8086 · November 16, 2021, 4:03am

How would I using the json filter to split the following json document and target / modify the time stamp (event.ts) ?

{"peer":"EC2LEBOQ77XSF46QEKYYYNKBTVATU33K","agent_name":"test-device","event":{"ts":1637034155000,"t":5,"src":"resilio_share","e":"Downloaded randfile16113","data":{"hash":"E012015B6E31A7077BEE076A3ECB895604F9B73F","name":"randfile16113","path":"randfile16113","size":1048576,"state":"Downloaded"},"id":26179,"jobRunId":11}}


filter
{
  json
    {
      source => "message"
    }
}

This is as far as I get, as I cannot transform the split json elements

leandrojmp · November 16, 2021, 4:18am

What do you mean by split? It is not clear what you are trying to do, can you give more details?

Badger · November 16, 2021, 5:18am

It sounds like you want

date { match => [ "[event][ts]", "UNIX_MS" ] }

which will set the @timestamp field of the event.

logstash does not use the . notation of Elasticsearch and kibana to reference fields inside of fields. It has its own (less ambiguous) notation using [ and ]

system · December 14, 2021, 5:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to parse JSON field obtained from split filter Logstash	5	825	July 10, 2018
Parsing nested json logs iin logstash Logstash	7	1060	July 7, 2017
Nested JSON data to Logstash Logstash	8	410	December 12, 2022
Timestamp replaced Logstash	18	1410	March 18, 2018
Split nested json array from log Logstash	13	3992	May 18, 2020

Logstash Nested JSON Parsing and Transforming data

Related topics