Each record is an array of results and there can be a variable number of records in each message.
My requirement is to split this message into a flat structure, such that each new message will have one result in it.
I tried applying the split filter to this message as below:
filter {
split { field => "records" }
}
When I do this, what I observes is that I get multiple messages and each message consists of one result from the first instance of records . However, the new messages still have the other instances (second, third etc.) of records arrays intact.
I am at a loss on how to solve this and would appreciate it if anyone can suggest a solution.
I double checked and yes it this that way. This is not a single json document, but is a collection of records of json format that are read from a cloud based kafka like message bus, where multiple records are packed together into a single message.
and you try to parse that using a json filter or a json codec the second [message][records] field overwrites the first. You will never see the "foo" data.
You could write a custom parser in a ruby filter. Or perhaps you can make it work using a multiline codec to consume a single [message][records] array and then use mutate to adjust it to be valid JSON.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.