Logstash Nested JSON Parsing and Transforming data

zx8086 · November 16, 2021, 4:03am

How would I using the json filter to split the following json document and target / modify the time stamp (event.ts) ?

{"peer":"EC2LEBOQ77XSF46QEKYYYNKBTVATU33K","agent_name":"test-device","event":{"ts":1637034155000,"t":5,"src":"resilio_share","e":"Downloaded randfile16113","data":{"hash":"E012015B6E31A7077BEE076A3ECB895604F9B73F","name":"randfile16113","path":"randfile16113","size":1048576,"state":"Downloaded"},"id":26179,"jobRunId":11}}


filter
{
  json
    {
      source => "message"
    }
}

This is as far as I get, as I cannot transform the split json elements

leandrojmp · November 16, 2021, 4:18am

What do you mean by split? It is not clear what you are trying to do, can you give more details?

Badger · November 16, 2021, 5:18am

It sounds like you want

date { match => [ "[event][ts]", "UNIX_MS" ] }

which will set the @timestamp field of the event.

logstash does not use the . notation of Elasticsearch and kibana to reference fields inside of fields. It has its own (less ambiguous) notation using [ and ]

system · December 14, 2021, 5:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.