Hi, Does ELK solve the problem of parsing nested arrays in json?
I spent a day or two to test graylog and it failed. Also came across another drawback in graylog(it does not handle "" well. Seems there is no other tool that parses nested json. Our logs are highly nested, the only tools I found were as expensive as splunk(Loggly, Sumologic) Any suggestions?
Hi,
A good start into Elasticsearch is https://www.elastic.co/guide/en/elasticsearch/guide/current/intro.html
If you want to parse specifically, you should look at Logstash https://www.elastic.co/guide/en/logstash/current/index.html
Will it parse nested arrays?. I installed ELK and was able to load data , but it did not parse the nested json. Is that a known limitation, kindly advice?
Thanks
Tushar
Hi,
I have moved your topic to the logstash forum to get more specific help on logstash.
To be sure to understand your request correctly
Can you please provide an example of input json containing "nested json" and if possible a description of the expected structure as output
Also what is the level of nesting, it is simply one or could be more ?
Hi,
I am trying the example here
https://www.elastic.co/guide/en/elasticsearch/reference/current/nested.html
PUT my_index/my_type/1
{
"group" : "fans",
"user" : [
{
"first" : "John",
"last" : "Smith"
},
{
"first" : "Alice",
"last" : "White"
}
]
}
Now the fields in Kibana show the field as User
And value as
{"first":"John","last":"Smith"}, {"first":"Alice","last":"White"}
In contrast splunk, when indexing the same data will break it as following fields
user{}.first
Values
Alice
John
user{}.last
Smith
White
So, in splunk I have much wider options to query on individual first names, for example I can search how many Users have First name as Smith. And also it is easy to understand the data if it is broken into individual logical units.
Thanks
Am I correct in the assumption that below issue is what my problem is?
Kindly advice.