Logstash parsing in JSON

Sivajanani · September 23, 2020, 12:35pm

Hello,
I have a json in the following format.
{"group" : [{"name":"group1","tag":[{"name":"tag1"},{"name":"tag2"},{"name":"tag3"},{"name":"tag4"}]}],"association" : }
Using Logstash config I have to parse tag field and add tags , Hence I have my config filter part as below,

split {
field => "group"
}
mutate{
add_field => {"tag" => "%[group][tag][name]"}
}
But I am getting the result ingested as tag:[group][tag][name].

Kindly suggest where do I have to change my config.

grumo35 · September 23, 2020, 12:41pm

Hi,

add_tag => [ "%{[group][tag][name]}"]

Should do the trick

Sivajanani · September 23, 2020, 1:02pm

Hi @grumo35,
Thanks for the reply.

I have tried this. It is adding tags. Instead I want data to be ingested as,
tag [0]: tag1
tag [1]: tag2 and so on

where tag1,tag2,tag are part of json which has the above format mentioned in the case raised.

Sivajanani · September 23, 2020, 1:06pm

To add up, after changing
add_tag => [ "%{[group][tag][name]}"]

the result is as below,
tags" => [
[0] "["tag", "%{[group][tag][name]}"]"

grumo35 · September 23, 2020, 1:07pm

I'm not sure to fully understand your use case but you might wan to iterate over results in ruby to match the tag array position you want to use.

Did you manage to get it work ?

Sivajanani · September 23, 2020, 1:08pm

No still I am trying.

grumo35 · September 23, 2020, 1:11pm

Sivajanani · September 23, 2020, 1:25pm

But I dont want to add tags. In my case I want to parse the inner value of the json file.

Like in my case
{"group" : [{"name":"group1","tag":[{"name":"tag1"},{"name":"tag2"},{"name":"tag3"},{"name":"tag4"}]}],"association" : }
When I give,
split {
field => "group"
}
mutate{
add_field => {"tag" => "%[group][tag]"}
}
I am getting the output as tag: {"name":"tag1"},{"name":"tag2"},{"name":"tag3"},{"name":"tag4"}

But when I change that to,
add_field => {"tag" => "%[group][tag][name]"}
I data is getting ingested as tag:[group][tag][name]

chitreshg · September 30, 2020, 12:36pm

it seems you want tag as a separate field as an array which contain ["tag1", "tag2", "tag3"]
if this is your requirement then you can use ruby filter to get such pattern.

Badger · September 30, 2020, 1:15pm

Why are you using split when there is only a single member in the [group] array? You could just use

mutate { add_field => { "group" => "%{[group][0]}" } }

For the example data in the first post what do you want the final event to look like?

Sivajanani · September 30, 2020, 2:23pm

Thank you all for the suggestion.

I could get a single tag by giving like below,
"tag1" => "%{[group][tag][0][name]}"

Badger · September 30, 2020, 3:14pm

Does that mean your problem is solved? If not, what do you want the event fields to look like?