Merge Several json parsed fields to 1 field

Wesley_Smekens · June 7, 2016, 12:05pm

Hey All,

Part of our logs we recieve are in json format.
I filter out these messages with following filter:

json {
source => "Request"
target => "Request_parsed"
}

This works perfectly and we are getting a lot of Request_parsed.*** fields.
Now I want to merge part of these fields to a new field called Comment so i can use 1 field in kibana to show all the requests.

is this possible in logstash?

magnusbaeck · June 10, 2016, 5:36am

filter {
  mutate {
    add_field => {
      "merged_field" => "%{[Request_parsed][subfield1]} %{[Request_parsed][subfield2]}"
    }
  }
}

Wesley_Smekens · June 10, 2016, 12:15pm

ok got this:

mutate { add_field => { "Comment" => "%{[Request_parsed][type_label]} %{[Request_parsed][canonical_type_label]} %{[Request_parsed][title]}" %{[Request_parsed][value_label]}" }

The problem now is that not every field get's data and i get this in kibana:

June 10th 2016, 14:06:58.308%{[Request_parsed][type_label]} Disease %{[Request_parsed][title]} %{[Request_parsed][value_label]}

June 10th 2016, 14:06:51.362%{[Request_parsed][type_label]} %{[Request_parsed][canonical_type_label]} Combined immunodeficiency due to OX40 deficiency %{[Request_parsed][value_label]}

magnusbaeck · June 10, 2016, 7:37pm

Wrap the mutate filter in a conditional.

if [Request_parsed][type_label] {
  mutate {
    add_field => {
      "Comment" => "%{[Request_parsed][type_label]}"
    }
  }
}

Wesley_Smekens · June 13, 2016, 8:18am

thanks, works like a charm

Topic		Replies	Views
Logstash mutate field Logstash	2	248	August 27, 2021
Dissect json fields in a specific field Logstash	2	422	May 7, 2020
Combine strings from array into field Logstash	3	5516	July 6, 2017
Combine several fields using ruby/merge/aggregate Logstash	4	455	August 2, 2019
Filter to add fiels of on nested JSON name value fields Logstash	5	602	April 27, 2022

Merge Several json parsed fields to 1 field

Related topics