Nested JSON data to Logstash

INS · November 14, 2022, 6:57pm

Hi
Can You point me out how to use data filter to making correct timestamp from file, below data (already prepared in JSON format)
timestamp should be taken from "collectionBeginTime" field.
Thanks for help

{
	"measFileHeader": {
		"fileFormotVersion": "1",
		"senderName": "Machine1",
		"senderType": "",
		"vendorName": "LB",
		"collectionBeginTime": "202112300935Z"
	},
	"measData": [
		{
			"nEId": {
				"nEUserName": "Proc1",
				"nEDistinguishedNome": ""
			},
			"measInfo": [
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"AUT2.-.NNVALGBA": 0.0,
					"AUT2.-.NAUSGSYNFAI": 34.0,
					"AUT2.-.NNVALEPS": 0.0,
					"AUT2.-.NAUSCSYNFAI": 252.0,
					"AUT2.-.NQUIEPS": 159782.0,
					"AUT2.-.NAUHSBSSYNFAI": 0.0,
					"AUT2.-.NQUIGBA": 280.0
				},
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"AUTHSUBS.-.SUBSTRIPL": 0.0
				},
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"AUT.-.NAUTTRIPPRO": 3843.0,
					"AUT.-.NAUTPARREU": 0.0,
					"AUT.-.NAUREQQUINT": 440809.0,
					"AUT.-.NAUTPARSEN": 0.0,
					"AUT.-.NAUTPARMAP": 0.0
				},
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"AUCSUBS.-.NSUBSCNT": 0.0,
					"AUCSUBS.-.NUSUBSCNT": 0.0,
					"AUCSUBS.-.NGSUBSCNT": 0.0
				},
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"EVENTMAP.CANCLOC.NMAPTOT": 15935.0,
					"EVENTMAP.CANCLOC.NMAPFLT": 0.0,
					"EVENTMAP.CANCLOC.NMAPSUCC": 15934.0,
					"EVENTMAP.UPDALOC.NMAPTOT": 19137.0,
					"EVENTMAP.UPDALOC.NMAPSUCC": 19136.0				
				}
			]
		},
		{
			"nEId": {
				"nEUserName": "Proc2",
				"nEDistinguishedNome": ""
			},
			"measInfo": [
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"AUT2.-.NNVALGBA": 0.0,
					"AUT2.-.NAUSGSYNFAI": 22.0,
					"AUT2.-.NNVALEPS": 0.0,
					"AUT2.-.NAUSCSYNFAI": 259.0
				},
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"AUTHSUBS.-.SUBSTRIPL": 0.0
				},
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"AUT.-.NAUTTRIPPRO": 3750.0,
					"AUT.-.NAUTPARREU": 0.0,
					"AUT.-.NAUREQQUINT": 441091.0,
					"AUT.-.NAUTPARSEN": 0.0


				},
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"AUCSUBS.-.NSUBSCNT": 0.0,
					"AUCSUBS.-.NUSUBSCNT": 0.0,
					"AUCSUBS.-.NGSUBSCNT": 0.0
				},
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"EVENTMAP.EVENTMAPCANCLOC.NMAPTOT": 15910.0,
					"EVENTMAP.CANCLOC.NMAPFLT": 0.0,
					"EVENTMAP.CANCLOC.NMAPSUCC": 15913.0,
					"EVENTMAP.UPDALOC.NMAPTOT": 19103.0				
				}
			]
		},
		{
			"nEId": {
				"nEUserName": "Proc3",
				"nEDistinguishedNome": ""
			},
			"measInfo": [
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"AUT2.-.NNVALGBA": 0.0,
					"AUT2.-.NAUSGSYNFAI": 30.0,
					"AUT2.-.NNVALEPS": 0.0,
					"AUT2.-.NAUSCSYNFAI": 249.0
				},
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"AUTHSUBS.-.SUBSTRIPL": 0.0
				},
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"AUT.-.NAUTTRIPPRO": 3728.0,
					"AUT.-.NAUTPARREU": 0.0,
					"AUT.-.NAUREQQUINT": 441032.0,
					"AUT.-.NAUTPARSEN": 0.0,
					"AUT.-.NAUTPARMAP": 0.0,
					"AUT.-.NAUTREQMAP": 0.0,
					"AUT.-.NFAUTPS": 440754.0
				},
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"AUCSUBS.-.NSUBSCNT": 0.0,
					"AUCSUBS.-.NUSUBSCNT": 0.0,
					"AUCSUBS.-.NGSUBSCNT": 0.0
				},
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"EVENTMAP.CANCLOC.NMAPTOT": 15727.0,
					"EVENTMAP.CANCLOC.NMAPFLT": 0.0,
					"EVENTMAP.CANCLOC.NMAPSUCC": 15729.0,
					"EVENTMAP.UPDALOC.NMAPTOT": 18818.0,
					"EVENTMAP.UPDALOC.NMAPSUCC": 18818.0,
					"EVENTMAP.UPDALOC.NMAPFLT": 0.0
				}
			]
		}
	],
	"measFileFooter": "202112300940Z"
}

my pipeline

input{
        file {
                codec => multiline { pattern => "^}" negate => true what => next max_lines => 20000 }
                        path => "/opt/data/input/test1.json"
                        sincedb_path => "/dev/null"
                        start_position => beginning
                        file_completed_action => "log"
                        file_completed_log_path => "/opt/data/logstash_files/fin_eir.log"
                        mode => read
        }
}


filter{
        mutate { gsub => ["message", "\n", ""] }
        json{ source => "message" }
date {
        match => ["collectionBeginTime", "yyyyMMddHHmmZ"]
        timezone => "Europe/Paris"
        target => "@timestamp"
            }

        mutate { remove_field => [ "measStortTime", "collectionBeginTime", "measFileFooter" ] }
        split{ field => "measData" }
 if "_jsonparsefailure" not in [tags] { mutate { remove_field => "message" }  }
}

output{
        stdout{ codec=>"rubydebug" }
}

and output

{
              "tags" => [
        [0] "multiline"
    ],
              "path" => "/opt/data/input/test1.json",
        "@timestamp" => 2022-11-14T21:29:36.077353Z,
              "host" => "0.0.0.0",
    "measFileHeader" => {
          "fileFormotVersion" => "1",
        "collectionBeginTime" => "202112300935Z",
                 "senderName" => "Machine1",
                 "vendorName" => "LB",
                 "senderType" => ""
    },
          "@version" => "1",
          "measData" => {
            "nEId" => {
                     "nEUserName" => "Proc1",
            "nEDistinguishedNome" => ""
        },
        "measInfo" => [
            [0] {
                   "gronularityPeriod" => 300,
                      "AUT2.-.NQUIGBA" => 280.0,
                  "AUT2.-.NAUSCSYNFAI" => 252.0,
                      "AUT2.-.NQUIEPS" => 159782.0,
                "AUT2.-.NAUHSBSSYNFAI" => 0.0,
                     "AUT2.-.NNVALGBA" => 0.0,
                  "AUT2.-.NAUSGSYNFAI" => 34.0,
                     "AUT2.-.NNVALEPS" => 0.0,
                       "measStortTime" => "202112300940Z"
            },
            [1] {
                   "gronularityPeriod" => 300,
                       "measStortTime" => "202112300940Z",
                "AUTHSUBS.-.SUBSTRIPL" => 0.0
            },
            [2] {
                "gronularityPeriod" => 300,
                "AUT.-.NAUREQQUINT" => 440809.0,
                 "AUT.-.NAUTPARSEN" => 0.0,
                "AUT.-.NAUTTRIPPRO" => 3843.0,
                    "measStortTime" => "202112300940Z",
                 "AUT.-.NAUTPARREU" => 0.0,
                 "AUT.-.NAUTPARMAP" => 0.0
            },
            [3] {
                "AUCSUBS.-.NUSUBSCNT" => 0.0,
                  "gronularityPeriod" => 300,
                "AUCSUBS.-.NGSUBSCNT" => 0.0,
                      "measStortTime" => "202112300940Z",
                 "AUCSUBS.-.NSUBSCNT" => 0.0
            },
            [4] {
                "EVENTMAP.CANCLOC.NMAPSUCC" => 15934.0,
                        "gronularityPeriod" => 300,
                 "EVENTMAP.UPDALOC.NMAPTOT" => 19137.0,
                 "EVENTMAP.CANCLOC.NMAPTOT" => 15935.0,
                "EVENTMAP.UPDALOC.NMAPSUCC" => 19136.0,
                            "measStortTime" => "202112300940Z",
                 "EVENTMAP.CANCLOC.NMAPFLT" => 0.0
            }
        ]
    }
}
{
              "tags" => [
        [0] "multiline"
    ],
              "path" => "/opt/data/input/test1.json",
        "@timestamp" => 2022-11-14T21:29:36.077353Z,
              "host" => "0.0.0.0",
    "measFileHeader" => {
          "fileFormotVersion" => "1",
        "collectionBeginTime" => "202112300935Z",
                 "senderName" => "Machine1",
                 "vendorName" => "LB",
                 "senderType" => ""
    },
          "@version" => "1",
          "measData" => {
            "nEId" => {
                     "nEUserName" => "Proc2",
            "nEDistinguishedNome" => ""
        },
        "measInfo" => [
            [0] {
                 "gronularityPeriod" => 300,
                "AUT2.-.NAUSCSYNFAI" => 259.0,
                   "AUT2.-.NNVALGBA" => 0.0,
                "AUT2.-.NAUSGSYNFAI" => 22.0,
                   "AUT2.-.NNVALEPS" => 0.0,
                     "measStortTime" => "202112300940Z"
            },
            [1] {
                   "gronularityPeriod" => 300,
                       "measStortTime" => "202112300940Z",
                "AUTHSUBS.-.SUBSTRIPL" => 0.0
            },
            [2] {
                "gronularityPeriod" => 300,
                "AUT.-.NAUREQQUINT" => 441091.0,
                 "AUT.-.NAUTPARSEN" => 0.0,
                "AUT.-.NAUTTRIPPRO" => 3750.0,
                    "measStortTime" => "202112300940Z",
                 "AUT.-.NAUTPARREU" => 0.0
            },
            [3] {
                "AUCSUBS.-.NUSUBSCNT" => 0.0,
                  "gronularityPeriod" => 300,
                "AUCSUBS.-.NGSUBSCNT" => 0.0,
                      "measStortTime" => "202112300940Z",
                 "AUCSUBS.-.NSUBSCNT" => 0.0
            },
            [4] {
                       "EVENTMAP.CANCLOC.NMAPSUCC" => 15913.0,
                               "gronularityPeriod" => 300,
                        "EVENTMAP.UPDALOC.NMAPTOT" => 19103.0,
                "EVENTMAP.EVENTMAPCANCLOC.NMAPTOT" => 15910.0,
                                   "measStortTime" => "202112300940Z",
                        "EVENTMAP.CANCLOC.NMAPFLT" => 0.0
            }
        ]
    }
}
{
              "tags" => [
        [0] "multiline"
    ],
              "path" => "/opt/data/input/test1.json",
        "@timestamp" => 2022-11-14T21:29:36.077353Z,
              "host" => "0.0.0.0",
    "measFileHeader" => {
          "fileFormotVersion" => "1",
        "collectionBeginTime" => "202112300935Z",
                 "senderName" => "Machine1",
                 "vendorName" => "LB",
                 "senderType" => ""
    },
          "@version" => "1",
          "measData" => {
            "nEId" => {
                     "nEUserName" => "Proc3",
            "nEDistinguishedNome" => ""
        },
        "measInfo" => [
            [0] {
                 "gronularityPeriod" => 300,
                "AUT2.-.NAUSCSYNFAI" => 249.0,
                   "AUT2.-.NNVALGBA" => 0.0,
                "AUT2.-.NAUSGSYNFAI" => 30.0,
                   "AUT2.-.NNVALEPS" => 0.0,
                     "measStortTime" => "202112300940Z"
            },
            [1] {
                   "gronularityPeriod" => 300,
                       "measStortTime" => "202112300940Z",
                "AUTHSUBS.-.SUBSTRIPL" => 0.0
            },
            [2] {
                "gronularityPeriod" => 300,
                    "AUT.-.NFAUTPS" => 440754.0,
                "AUT.-.NAUREQQUINT" => 441032.0,
                 "AUT.-.NAUTPARSEN" => 0.0,
                "AUT.-.NAUTTRIPPRO" => 3728.0,
                 "AUT.-.NAUTREQMAP" => 0.0,
                    "measStortTime" => "202112300940Z",
                 "AUT.-.NAUTPARREU" => 0.0,
                 "AUT.-.NAUTPARMAP" => 0.0
            },
            [3] {
                "AUCSUBS.-.NUSUBSCNT" => 0.0,
                  "gronularityPeriod" => 300,
                "AUCSUBS.-.NGSUBSCNT" => 0.0,
                      "measStortTime" => "202112300940Z",
                 "AUCSUBS.-.NSUBSCNT" => 0.0
            },
            [4] {
                "EVENTMAP.CANCLOC.NMAPSUCC" => 15729.0,
                        "gronularityPeriod" => 300,
                 "EVENTMAP.UPDALOC.NMAPTOT" => 18818.0,
                 "EVENTMAP.CANCLOC.NMAPTOT" => 15727.0,
                "EVENTMAP.UPDALOC.NMAPSUCC" => 18818.0,
                 "EVENTMAP.UPDALOC.NMAPFLT" => 0.0,
                            "measStortTime" => "202112300940Z",
                 "EVENTMAP.CANCLOC.NMAPFLT" => 0.0
            }
        ]
    }
}

INS · November 14, 2022, 9:48pm

INS:

"measInfo" => [
            [0] {
                   "gronularityPeriod" => 300,
                      "AUT2.-.NQUIGBA" => 280.0,
                  "AUT2.-.NAUSCSYNFAI" => 252.0,
                      "AUT2.-.NQUIEPS" => 159782.0,
                "AUT2.-.NAUHSBSSYNFAI" => 0.0,
                     "AUT2.-.NNVALGBA" => 0.0,
                  "AUT2.-.NAUSGSYNFAI" => 34.0,
                     "AUT2.-.NNVALEPS" => 0.0,
                       "measStortTime" => "202112300940Z"
            },
            [1] {
                   "gronularityPeriod" => 300,
                       "measStortTime" => "202112300940Z",
                "AUTHSUBS.-.SUBSTRIPL" => 0.0
            },
            [2] {
                "gronularityPeriod" => 300,
                "AUT.-.NAUREQQUINT" => 440809.0,
                 "AUT.-.NAUTPARSEN" => 0.0,
                "AUT.-.NAUTTRIPPRO" => 3843.0,
                    "measStortTime" => "202112300940Z",
                 "AUT.-.NAUTPARREU" => 0.0,
                 "AUT.-.NAUTPARMAP" => 0.0
            },
            [3] {
                "AUCSUBS.-.NUSUBSCNT" => 0.0,
                  "gronularityPeriod" => 300,
                "AUCSUBS.-.NGSUBSCNT" => 0.0,
                      "measStortTime" => "202112300940Z",
                 "AUCSUBS.-.NSUBSCNT" => 0.0
            },
            [4] {
                "EVENTMAP.CANCLOC.NMAPSUCC" => 15934.0,
                        "gronularityPeriod" => 300,
                 "EVENTMAP.UPDALOC.NMAPTOT" => 19137.0,
                 "EVENTMAP.CANCLOC.NMAPTOT" => 15935.0,
                "EVENTMAP.UPDALOC.NMAPSUCC" => 19136.0,
                            "measStortTime" => "202112300940Z",
                 "EVENTMAP.CANCLOC.NMAPFLT" => 0.0
            }
        ]

I am also wondering how to flatten the structure for measinfo

INS · November 14, 2022, 10:25pm

ok I found the solution for date

  date {
        match => ["[measFileHeader][collectionBeginTime]", "yyyyMMddHHmmZ"]
        timezone => "Europe/Paris"
        target => "@timestamp"
            }

but how to work with nested measInfo?

Rios · November 14, 2022, 11:00pm

[measInfo][0][measStortTime]
[measInfo][1][measStortTime]...

INS · November 14, 2022, 11:01pm

Hi thx @Rios Do You know how to flatten the structure for measinfo?

INS · November 14, 2022, 11:03pm

I've tried something like

vi pipeline_npdb.yml
                        sincedb_path => "/dev/null"
                        start_position => beginning
                        file_completed_action => "log"
                        file_completed_log_path => "/opt/data/logstash_files/fin_eir.log"
                        mode => read
        }
}


filter{
        mutate { gsub => ["message", "\n", ""] }
        json{ source => "message" }
        split{ field => "measFileHeader" }
        split{ field => "measData" }
        date {
        match => ["[measFileHeader][collectionBeginTime]", "yyyyMMddHHmmZ"]
        timezone => "Europe/Paris"
        target => "@timestamp"
            }
mutate { remove_field => [ "[measFileHeader][collectionBeginTime]", "[measData][measInfo][gronularityPeriod]", "[measData][measInfo][measStortTime]" ] }

        split {field => "measInfo" }

    ruby {
        code => '
            [ "measData", "measInfo" ].each { |field|
                event.get(field).each { |k, v|
                    event.set(k, v)
                }
                event.remove(field)
            }
        '
    }


 if "_jsonparsefailure" not in [tags] { mutate { remove_field => ["message", "measStortTime", "collectionBeginTime", "measFileFooter"] }  }
}

output{
        stdout{ codec=>"rubydebug" }
}

but it got errors

[WARN ] 2022-11-14 22:57:03.064 [[npdb]>worker0] split - Only String and Array types are splittable. field:measFileHeader is of type = Hash
[WARN ] 2022-11-14 22:57:03.067 [[npdb]>worker0] split - Only String and Array types are splittable. field:measInfo is of type = NilClass
[WARN ] 2022-11-14 22:57:03.067 [[npdb]>worker0] split - Only String and Array types are splittable. field:measInfo is of type = NilClass
[WARN ] 2022-11-14 22:57:03.067 [[npdb]>worker0] split - Only String and Array types are splittable. field:measInfo is of type = NilClass
[ERROR] 2022-11-14 22:57:03.068 [[npdb]>worker0] ruby - Ruby exception occurred: no implicit conversion of Hash into String {:class=>"TypeError", :backtrace=>["(ruby filter code):5:in `block in filter_method'", "org/jruby/RubyArray.java:1821:in `each'", "(ruby filter code):4:in `block in filter_method'", "org/jruby/RubyArray.java:1821:in `each'", "(ruby filter code):3:in `block in filter_method'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:96:in `inline_script'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:89:in `filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:159:in `do_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:178:in `block in multi_filter'", "org/jruby/RubyArray.java:1821:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:175:in `multi_filter'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:134:in `multi_filter'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:300:in `block in start_workers'"]}
[ERROR] 2022-11-14 22:57:03.069 [[npdb]>worker0] ruby - Ruby exception occurred: no implicit conversion of Hash into String {:class=>"TypeError", :backtrace=>["(ruby filter code):5:in `block in filter_method'", "org/jruby/RubyArray.java:1821:in `each'", "(ruby filter code):4:in `block in filter_method'", "org/jruby/RubyArray.java:1821:in `each'", "(ruby filter code):3:in `block in filter_method'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:96:in `inline_script'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:89:in `filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:159:in `do_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:178:in `block in multi_filter'", "org/jruby/RubyArray.java:1821:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:175:in `multi_filter'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:134:in `multi_filter'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:300:in `block in start_workers'"]}
[ERROR] 2022-11-14 22:57:03.070 [[npdb]>worker0] ruby - Ruby exception occurred: no implicit conversion of Hash into String {:class=>"TypeError", :backtrace=>["(ruby filter code):5:in `block in filter_method'", "org/jruby/RubyArray.java:1821:in `each'", "(ruby filter code):4:in `block in filter_method'", "org/jruby/RubyArray.java:1821:in `each'", "(ruby filter code):3:in `block in filter_method'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:96:in `inline_script'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:89:in `filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:159:in `do_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:178:in `block in multi_filter'", "org/jruby/RubyArray.java:1821:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:175:in `multi_filter'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:134:in `multi_filter'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:300:in `block in start_workers'"]}
{
              "nEId" => {
                 "nEUserName" => "Proc1",
        "nEDistinguishedNome" => ""
    },
              "path" => "/opt/data/input/test1.json",
        "@timestamp" => 2021-12-30T09:35:00Z,
          "measInfo" => [
        [0] {
               "gronularityPeriod" => 300,
                  "AUT2.-.NQUIGBA" => 280.0,
              "AUT2.-.NAUSCSYNFAI" => 252.0,
                  "AUT2.-.NQUIEPS" => 159782.0,
            "AUT2.-.NAUHSBSSYNFAI" => 0.0,
                 "AUT2.-.NNVALGBA" => 0.0,
              "AUT2.-.NAUSGSYNFAI" => 34.0,
                 "AUT2.-.NNVALEPS" => 0.0,
                   "measStortTime" => "202112300940Z"
        },
        [1] {
               "gronularityPeriod" => 300,
                   "measStortTime" => "202112300940Z",
            "AUTHSUBS.-.SUBSTRIPL" => 0.0
        },
        [2] {
            "gronularityPeriod" => 300,
            "AUT.-.NAUREQQUINT" => 440809.0,
             "AUT.-.NAUTPARSEN" => 0.0,
            "AUT.-.NAUTTRIPPRO" => 3843.0,
                "measStortTime" => "202112300940Z",
             "AUT.-.NAUTPARREU" => 0.0,
             "AUT.-.NAUTPARMAP" => 0.0
        },
        [3] {
            "AUCSUBS.-.NUSUBSCNT" => 0.0,
              "gronularityPeriod" => 300,
            "AUCSUBS.-.NGSUBSCNT" => 0.0,
                  "measStortTime" => "202112300940Z",
             "AUCSUBS.-.NSUBSCNT" => 0.0
        },
        [4] {
            "EVENTMAP.CANCLOC.NMAPSUCC" => 15934.0,
                    "gronularityPeriod" => 300,
             "EVENTMAP.UPDALOC.NMAPTOT" => 19137.0,
             "EVENTMAP.CANCLOC.NMAPTOT" => 15935.0,
            "EVENTMAP.UPDALOC.NMAPSUCC" => 19136.0,
                        "measStortTime" => "202112300940Z",
             "EVENTMAP.CANCLOC.NMAPFLT" => 0.0
        }
    ],
              "tags" => [
        [0] "multiline",
        [1] "_split_type_failure",
        [2] "_rubyexception"
    ],

Rios · November 14, 2022, 11:09pm

Try this

INS · November 14, 2022, 11:38pm

@Badger Can You share Yours approach for nested "measFileHeader","measInfo", "nEId" field. How can I fix it?
this it the last version of my pipeline

input{
        file {
                codec => multiline { pattern => "^}" negate => true what => next max_lines => 20000 }
                        path => "/opt/data/input/test1.json"
                        sincedb_path => "/dev/null"
                        start_position => beginning
                        file_completed_action => "log"
                        file_completed_log_path => "/opt/data/logstash_files/fin_eir.log"
                        mode => read
        }
}


filter{
        mutate { gsub => ["message", "\n", ""] }
        json{ source => "message" }
        split{ field => "measData" }
        date {
        match => ["[measFileHeader][collectionBeginTime]", "yyyyMMddHHmmZ"]
        timezone => "Europe/Paris"
        target => "@timestamp"
            }
mutate { remove_field => [ "[measFileHeader][collectionBeginTime]", "[measData][measInfo][gronularityPeriod]", "[measData][measInfo][0][measStortTime]" ] }

    ruby {
        code => '
            event.get("[measData][nEId]").each { |k, v|
                event.set(k,v)
            }
            event.remove("[measData][nEId]")
        '
    }
ruby {
        code => '
            event.get("[measData][measInfo]").each { |k, v|
                event.set(k,v)
            }
            event.remove("[measData][measInfo]")
        '
    }

output

[ERROR] 2022-11-14 23:46:30.077 [[npdb]>worker0] ruby - Ruby exception occurred: no implicit conversion of Hash into String {:class=>"TypeError", :backtrace=>["(ruby filter code):4:in `block in filter_method'", "org/jruby/RubyArray.java:1821:in `each'", "(ruby filter code):3:in `block in filter_method'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:96:in `inline_script'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:89:in `filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:159:in `do_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:178:in `block in multi_filter'", "org/jruby/RubyArray.java:1821:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:175:in `multi_filter'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:134:in `multi_filter'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:300:in `block in start_workers'"]}
[ERROR] 2022-11-14 23:46:30.078 [[npdb]>worker0] ruby - Ruby exception occurred: no implicit conversion of Hash into String {:class=>"TypeError", :backtrace=>["(ruby filter code):4:in `block in filter_method'", "org/jruby/RubyArray.java:1821:in `each'", "(ruby filter code):3:in `block in filter_method'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:96:in `inline_script'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:89:in `filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:159:in `do_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:178:in `block in multi_filter'", "org/jruby/RubyArray.java:1821:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:175:in `multi_filter'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:134:in `multi_filter'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:300:in `block in start_workers'"]}
[ERROR] 2022-11-14 23:46:30.079 [[npdb]>worker0] ruby - Ruby exception occurred: no implicit conversion of Hash into String {:class=>"TypeError", :backtrace=>["(ruby filter code):4:in `block in filter_method'", "org/jruby/RubyArray.java:1821:in `each'", "(ruby filter code):3:in `block in filter_method'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:96:in `inline_script'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:89:in `filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:159:in `do_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:178:in `block in multi_filter'", "org/jruby/RubyArray.java:1821:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:175:in `multi_filter'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:134:in `multi_filter'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:300:in `block in start_workers'"]}
{
                   "path" => "/opt/data/input/test1.json",
    "nEDistinguishedNome" => "",
             "@timestamp" => 2021-12-30T09:35:00Z,
             "nEUserName" => "Proc1",
                   "tags" => [
        [0] "multiline",
        [1] "_rubyexception"
    ],
               "measData" => {
        "measInfo" => [
            [0] {
                   "gronularityPeriod" => 300,
                      "AUT2.-.NQUIGBA" => 280.0,
                  "AUT2.-.NAUSCSYNFAI" => 252.0,
                      "AUT2.-.NQUIEPS" => 159782.0,
                "AUT2.-.NAUHSBSSYNFAI" => 0.0,
                     "AUT2.-.NNVALGBA" => 0.0,
                  "AUT2.-.NAUSGSYNFAI" => 34.0,
                     "AUT2.-.NNVALEPS" => 0.0
            },
            [1] {
                   "gronularityPeriod" => 300,
                       "measStortTime" => "202112300940Z",
                "AUTHSUBS.-.SUBSTRIPL" => 0.0
            },
            [2] {
                "gronularityPeriod" => 300,
                "AUT.-.NAUREQQUINT" => 440809.0,
                 "AUT.-.NAUTPARSEN" => 0.0,
                "AUT.-.NAUTTRIPPRO" => 3843.0,
                    "measStortTime" => "202112300940Z",
                 "AUT.-.NAUTPARREU" => 0.0,
                 "AUT.-.NAUTPARMAP" => 0.0
            },
            [3] {
                "AUCSUBS.-.NUSUBSCNT" => 0.0,
                  "gronularityPeriod" => 300,
                "AUCSUBS.-.NGSUBSCNT" => 0.0,
                      "measStortTime" => "202112300940Z",
                 "AUCSUBS.-.NSUBSCNT" => 0.0
            },
            [4] {
                "EVENTMAP.CANCLOC.NMAPSUCC" => 15934.0,
                        "gronularityPeriod" => 300,
                 "EVENTMAP.UPDALOC.NMAPTOT" => 19137.0,
                 "EVENTMAP.CANCLOC.NMAPTOT" => 15935.0,
                "EVENTMAP.UPDALOC.NMAPSUCC" => 19136.0,
                            "measStortTime" => "202112300940Z",
                 "EVENTMAP.CANCLOC.NMAPFLT" => 0.0
            }
        ]
    },
                   "host" => "0.0.0.0",
         "measFileHeader" => {
        "fileFormotVersion" => "1",
               "vendorName" => "LB",
               "senderName" => "Machine1",
               "senderType" => ""
    },
               "@version" => "1"
}

this is root cause
ruby - Ruby exception occurred: no implicit conversion of Hash into String

system · December 12, 2022, 11:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to create configure date filter data nested Logstash	2	700	January 14, 2022
Parse nested json Logstash	9	6395	July 6, 2017
Logstash Nested JSON Parsing and Transforming data Logstash	3	249	December 14, 2021
Create timestamp from nested JSON elements Logstash docker	2	493	December 1, 2021
Does the data input filter work on nested fields? Logstash	3	2064	July 6, 2017

Nested JSON data to Logstash

Related topics