Need to split a field into several fields in a JSON object

Lahiru_Lakshitha_Sam · January 12, 2017, 5:55pm

I need to split the "message": in to several fields in the same event and to remove some stuff in the "message": field Can I do this using split or mutate Need some help?

Version: Logstash 5.1.1
Operating System: CentOS
Config File: Still I am developing to my requirements

-SampleData: {
"_index": "vdashboard",
"_type": "vdash_events",
"_id": "AVmTpJUfTdL92-F20ysP",
"_score": null,
"_source": {
"@timestamp": "2017-01-12T17:05:53.941Z",
"port": 48169,
"@version": "1",
"host": "10.25.7.242",
"message": "{"status": "new", "storedTimestamp": "2017-01-12T17:05:11+0000", "domain": "IPM", "description": "TEST - Metric Memory Usage = 20%", "producer": "collector.vcenter.events", "locationCoordinates": [0, 0], "monitoredCIName": "node2", "source_events_count": 1, "assigned_to_name": "", "_id": "6f4659878eada113668aac28a7819cf7", "date_raised": "2017-01-12", "platforms": [""], "assigned_to_id": "", "raisedLocalTimestamp": "2017-01-12T17:05:11+0000", "toolUUID": "", "timestamp_reset": "", "detailsURL": "", "locationLabel": "", "message": "{'SNMP-COMMUNITY-MIB::snmpTrapAddress': '\\n\\x19\\t\\xe6', 'VMWARE-VC-EVENT-MIB::vmwVpxdTargetObjType': '3', 'VMWARE-VC-EVENT-MIB::vmwVpxdObjValue': 'TEST - Metric Memory Usage = 20%', 'SNMP-COMMUNITY-MIB::snmpTrapCommunity': '', 'VMWARE-VC-EVENT-MIB::vmwVpxdTargetObj': 'node2', 'VMWARE-VC-EVENT-MIB::vmwVpxdOldStatus': 'Yellow', 'VMWARE-VC-EVENT-MIB::vmwVpxdNewStatus': 'Red', 'SNMPv2-MIB::snmpTrapEnterprise': '1.3.6.1.4.1.6876.4.3', 'SNMPv2-MIB::sysUpTime': '415675122'}", "monitoredCIID": "", "date_hour_ended": "2017-01-12T17:05:11+0000", "locationCode": "LO1", "objectType": "event", "category": "Host", "version": "0.1.9", "state_trigger_id": "203", "isResetEvent": 0, "severity": 4, "objectId": "", "title": "TEST - node2", "monitoredCIClass": "", "related_events_ids": [""], "incident_number": "", "trigger": "TEST - node2", "products": ["Vcenter_Events"], "extraSourceData": {}, "KBArticle": "", "related_states_ids": [""], "timestamp_updated": "2017-01-12T17:05:11+0000", "raisedTimestamp": "2017-01-12T17:05:11+0000"}",
"type": "vdash_events",
"tags": []
},
"fields": {
"@timestamp": [
1484240753941
]
},
"sort": [
1484240753941
]
}

magnusbaeck · January 12, 2017, 6:29pm

It looks like you should specify codec => json or possibly codec => json_lines in your input plugin. If that for some reason isn't possible you should use the json filter.

Lahiru_Lakshitha_Sam · January 12, 2017, 6:39pm

Thanks I'm still new to ELK stack I'll try that

Lahiru_Lakshitha_Sam · January 12, 2017, 10:32pm

Thanks worked for me

system · February 9, 2017, 10:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.