Logstash Nested JSON Parsing and Transforming data

zx8086 · November 16, 2021, 4:03am

How would I using the json filter to split the following json document and target / modify the time stamp (event.ts) ?

{"peer":"EC2LEBOQ77XSF46QEKYYYNKBTVATU33K","agent_name":"test-device","event":{"ts":1637034155000,"t":5,"src":"resilio_share","e":"Downloaded randfile16113","data":{"hash":"E012015B6E31A7077BEE076A3ECB895604F9B73F","name":"randfile16113","path":"randfile16113","size":1048576,"state":"Downloaded"},"id":26179,"jobRunId":11}}


filter
{
  json
    {
      source => "message"
    }
}

This is as far as I get, as I cannot transform the split json elements

leandrojmp · November 16, 2021, 4:18am

What do you mean by split? It is not clear what you are trying to do, can you give more details?

Badger · November 16, 2021, 5:18am

It sounds like you want

date { match => [ "[event][ts]", "UNIX_MS" ] }

which will set the @timestamp field of the event.

logstash does not use the . notation of Elasticsearch and kibana to reference fields inside of fields. It has its own (less ambiguous) notation using [ and ]

Topic		Replies	Views
Logstash how to parse and split nested json file Logstash	10	2075	June 20, 2022
Json input and splitting Logstash	12	7175	June 12, 2020
How to parse JSON field obtained from split filter Logstash	5	876	July 10, 2018
Logstash - split array into individual events Logstash	7	6629	June 16, 2019
Logstash and JSON array split [SOLVED] Logstash	11	31943	July 6, 2017

Logstash Nested JSON Parsing and Transforming data

Related topics