Nested JSON data to Logstash

INS · November 14, 2022, 6:57pm

Hi
Can You point me out how to use data filter to making correct timestamp from file, below data (already prepared in JSON format)
timestamp should be taken from "collectionBeginTime" field.
Thanks for help

{
	"measFileHeader": {
		"fileFormotVersion": "1",
		"senderName": "Machine1",
		"senderType": "",
		"vendorName": "LB",
		"collectionBeginTime": "202112300935Z"
	},
	"measData": [
		{
			"nEId": {
				"nEUserName": "Proc1",
				"nEDistinguishedNome": ""
			},
			"measInfo": [
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"AUT2.-.NNVALGBA": 0.0,
					"AUT2.-.NAUSGSYNFAI": 34.0,
					"AUT2.-.NNVALEPS": 0.0,
					"AUT2.-.NAUSCSYNFAI": 252.0,
					"AUT2.-.NQUIEPS": 159782.0,
					"AUT2.-.NAUHSBSSYNFAI": 0.0,
					"AUT2.-.NQUIGBA": 280.0
				},
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"AUTHSUBS.-.SUBSTRIPL": 0.0
				},
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"AUT.-.NAUTTRIPPRO": 3843.0,
					"AUT.-.NAUTPARREU": 0.0,
					"AUT.-.NAUREQQUINT": 440809.0,
					"AUT.-.NAUTPARSEN": 0.0,
					"AUT.-.NAUTPARMAP": 0.0
				},
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"AUCSUBS.-.NSUBSCNT": 0.0,
					"AUCSUBS.-.NUSUBSCNT": 0.0,
					"AUCSUBS.-.NGSUBSCNT": 0.0
				},
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"EVENTMAP.CANCLOC.NMAPTOT": 15935.0,
					"EVENTMAP.CANCLOC.NMAPFLT": 0.0,
					"EVENTMAP.CANCLOC.NMAPSUCC": 15934.0,
					"EVENTMAP.UPDALOC.NMAPTOT": 19137.0,
					"EVENTMAP.UPDALOC.NMAPSUCC": 19136.0				
				}
			]
		},
		{
			"nEId": {
				"nEUserName": "Proc2",
				"nEDistinguishedNome": ""
			},
			"measInfo": [
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"AUT2.-.NNVALGBA": 0.0,
					"AUT2.-.NAUSGSYNFAI": 22.0,
					"AUT2.-.NNVALEPS": 0.0,
					"AUT2.-.NAUSCSYNFAI": 259.0
				},
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"AUTHSUBS.-.SUBSTRIPL": 0.0
				},
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"AUT.-.NAUTTRIPPRO": 3750.0,
					"AUT.-.NAUTPARREU": 0.0,
					"AUT.-.NAUREQQUINT": 441091.0,
					"AUT.-.NAUTPARSEN": 0.0


				},
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"AUCSUBS.-.NSUBSCNT": 0.0,
					"AUCSUBS.-.NUSUBSCNT": 0.0,
					"AUCSUBS.-.NGSUBSCNT": 0.0
				},
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"EVENTMAP.EVENTMAPCANCLOC.NMAPTOT": 15910.0,
					"EVENTMAP.CANCLOC.NMAPFLT": 0.0,
					"EVENTMAP.CANCLOC.NMAPSUCC": 15913.0,
					"EVENTMAP.UPDALOC.NMAPTOT": 19103.0				
				}
			]
		},
		{
			"nEId": {
				"nEUserName": "Proc3",
				"nEDistinguishedNome": ""
			},
			"measInfo": [
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"AUT2.-.NNVALGBA": 0.0,
					"AUT2.-.NAUSGSYNFAI": 30.0,
					"AUT2.-.NNVALEPS": 0.0,
					"AUT2.-.NAUSCSYNFAI": 249.0
				},
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"AUTHSUBS.-.SUBSTRIPL": 0.0
				},
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"AUT.-.NAUTTRIPPRO": 3728.0,
					"AUT.-.NAUTPARREU": 0.0,
					"AUT.-.NAUREQQUINT": 441032.0,
					"AUT.-.NAUTPARSEN": 0.0,
					"AUT.-.NAUTPARMAP": 0.0,
					"AUT.-.NAUTREQMAP": 0.0,
					"AUT.-.NFAUTPS": 440754.0
				},
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"AUCSUBS.-.NSUBSCNT": 0.0,
					"AUCSUBS.-.NUSUBSCNT": 0.0,
					"AUCSUBS.-.NGSUBSCNT": 0.0
				},
				{
					"measStortTime": "202112300940Z",
					"gronularityPeriod": 300,
					"EVENTMAP.CANCLOC.NMAPTOT": 15727.0,
					"EVENTMAP.CANCLOC.NMAPFLT": 0.0,
					"EVENTMAP.CANCLOC.NMAPSUCC": 15729.0,
					"EVENTMAP.UPDALOC.NMAPTOT": 18818.0,
					"EVENTMAP.UPDALOC.NMAPSUCC": 18818.0,
					"EVENTMAP.UPDALOC.NMAPFLT": 0.0
				}
			]
		}
	],
	"measFileFooter": "202112300940Z"
}

my pipeline

input{
        file {
                codec => multiline { pattern => "^}" negate => true what => next max_lines => 20000 }
                        path => "/opt/data/input/test1.json"
                        sincedb_path => "/dev/null"
                        start_position => beginning
                        file_completed_action => "log"
                        file_completed_log_path => "/opt/data/logstash_files/fin_eir.log"
                        mode => read
        }
}


filter{
        mutate { gsub => ["message", "\n", ""] }
        json{ source => "message" }
date {
        match => ["collectionBeginTime", "yyyyMMddHHmmZ"]
        timezone => "Europe/Paris"
        target => "@timestamp"
            }

        mutate { remove_field => [ "measStortTime", "collectionBeginTime", "measFileFooter" ] }
        split{ field => "measData" }
 if "_jsonparsefailure" not in [tags] { mutate { remove_field => "message" }  }
}

output{
        stdout{ codec=>"rubydebug" }
}

and output

{
              "tags" => [
        [0] "multiline"
    ],
              "path" => "/opt/data/input/test1.json",
        "@timestamp" => 2022-11-14T21:29:36.077353Z,
              "host" => "0.0.0.0",
    "measFileHeader" => {
          "fileFormotVersion" => "1",
        "collectionBeginTime" => "202112300935Z",
                 "senderName" => "Machine1",
                 "vendorName" => "LB",
                 "senderType" => ""
    },
          "@version" => "1",
          "measData" => {
            "nEId" => {
                     "nEUserName" => "Proc1",
            "nEDistinguishedNome" => ""
        },
        "measInfo" => [
            [0] {
                   "gronularityPeriod" => 300,
                      "AUT2.-.NQUIGBA" => 280.0,
                  "AUT2.-.NAUSCSYNFAI" => 252.0,
                      "AUT2.-.NQUIEPS" => 159782.0,
                "AUT2.-.NAUHSBSSYNFAI" => 0.0,
                     "AUT2.-.NNVALGBA" => 0.0,
                  "AUT2.-.NAUSGSYNFAI" => 34.0,
                     "AUT2.-.NNVALEPS" => 0.0,
                       "measStortTime" => "202112300940Z"
            },
            [1] {
                   "gronularityPeriod" => 300,
                       "measStortTime" => "202112300940Z",
                "AUTHSUBS.-.SUBSTRIPL" => 0.0
            },
            [2] {
                "gronularityPeriod" => 300,
                "AUT.-.NAUREQQUINT" => 440809.0,
                 "AUT.-.NAUTPARSEN" => 0.0,
                "AUT.-.NAUTTRIPPRO" => 3843.0,
                    "measStortTime" => "202112300940Z",
                 "AUT.-.NAUTPARREU" => 0.0,
                 "AUT.-.NAUTPARMAP" => 0.0
            },
            [3] {
                "AUCSUBS.-.NUSUBSCNT" => 0.0,
                  "gronularityPeriod" => 300,
                "AUCSUBS.-.NGSUBSCNT" => 0.0,
                      "measStortTime" => "202112300940Z",
                 "AUCSUBS.-.NSUBSCNT" => 0.0
            },
            [4] {
                "EVENTMAP.CANCLOC.NMAPSUCC" => 15934.0,
                        "gronularityPeriod" => 300,
                 "EVENTMAP.UPDALOC.NMAPTOT" => 19137.0,
                 "EVENTMAP.CANCLOC.NMAPTOT" => 15935.0,
                "EVENTMAP.UPDALOC.NMAPSUCC" => 19136.0,
                            "measStortTime" => "202112300940Z",
                 "EVENTMAP.CANCLOC.NMAPFLT" => 0.0
            }
        ]
    }
}
{
              "tags" => [
        [0] "multiline"
    ],
              "path" => "/opt/data/input/test1.json",
        "@timestamp" => 2022-11-14T21:29:36.077353Z,
              "host" => "0.0.0.0",
    "measFileHeader" => {
          "fileFormotVersion" => "1",
        "collectionBeginTime" => "202112300935Z",
                 "senderName" => "Machine1",
                 "vendorName" => "LB",
                 "senderType" => ""
    },
          "@version" => "1",
          "measData" => {
            "nEId" => {
                     "nEUserName" => "Proc2",
            "nEDistinguishedNome" => ""
        },
        "measInfo" => [
            [0] {
                 "gronularityPeriod" => 300,
                "AUT2.-.NAUSCSYNFAI" => 259.0,
                   "AUT2.-.NNVALGBA" => 0.0,
                "AUT2.-.NAUSGSYNFAI" => 22.0,
                   "AUT2.-.NNVALEPS" => 0.0,
                     "measStortTime" => "202112300940Z"
            },
            [1] {
                   "gronularityPeriod" => 300,
                       "measStortTime" => "202112300940Z",
                "AUTHSUBS.-.SUBSTRIPL" => 0.0
            },
            [2] {
                "gronularityPeriod" => 300,
                "AUT.-.NAUREQQUINT" => 441091.0,
                 "AUT.-.NAUTPARSEN" => 0.0,
                "AUT.-.NAUTTRIPPRO" => 3750.0,
                    "measStortTime" => "202112300940Z",
                 "AUT.-.NAUTPARREU" => 0.0
            },
            [3] {
                "AUCSUBS.-.NUSUBSCNT" => 0.0,
                  "gronularityPeriod" => 300,
                "AUCSUBS.-.NGSUBSCNT" => 0.0,
                      "measStortTime" => "202112300940Z",
                 "AUCSUBS.-.NSUBSCNT" => 0.0
            },
            [4] {
                       "EVENTMAP.CANCLOC.NMAPSUCC" => 15913.0,
                               "gronularityPeriod" => 300,
                        "EVENTMAP.UPDALOC.NMAPTOT" => 19103.0,
                "EVENTMAP.EVENTMAPCANCLOC.NMAPTOT" => 15910.0,
                                   "measStortTime" => "202112300940Z",
                        "EVENTMAP.CANCLOC.NMAPFLT" => 0.0
            }
        ]
    }
}
{
              "tags" => [
        [0] "multiline"
    ],
              "path" => "/opt/data/input/test1.json",
        "@timestamp" => 2022-11-14T21:29:36.077353Z,
              "host" => "0.0.0.0",
    "measFileHeader" => {
          "fileFormotVersion" => "1",
        "collectionBeginTime" => "202112300935Z",
                 "senderName" => "Machine1",
                 "vendorName" => "LB",
                 "senderType" => ""
    },
          "@version" => "1",
          "measData" => {
            "nEId" => {
                     "nEUserName" => "Proc3",
            "nEDistinguishedNome" => ""
        },
        "measInfo" => [
            [0] {
                 "gronularityPeriod" => 300,
                "AUT2.-.NAUSCSYNFAI" => 249.0,
                   "AUT2.-.NNVALGBA" => 0.0,
                "AUT2.-.NAUSGSYNFAI" => 30.0,
                   "AUT2.-.NNVALEPS" => 0.0,
                     "measStortTime" => "202112300940Z"
            },
            [1] {
                   "gronularityPeriod" => 300,
                       "measStortTime" => "202112300940Z",
                "AUTHSUBS.-.SUBSTRIPL" => 0.0
            },
            [2] {
                "gronularityPeriod" => 300,
                    "AUT.-.NFAUTPS" => 440754.0,
                "AUT.-.NAUREQQUINT" => 441032.0,
                 "AUT.-.NAUTPARSEN" => 0.0,
                "AUT.-.NAUTTRIPPRO" => 3728.0,
                 "AUT.-.NAUTREQMAP" => 0.0,
                    "measStortTime" => "202112300940Z",
                 "AUT.-.NAUTPARREU" => 0.0,
                 "AUT.-.NAUTPARMAP" => 0.0
            },
            [3] {
                "AUCSUBS.-.NUSUBSCNT" => 0.0,
                  "gronularityPeriod" => 300,
                "AUCSUBS.-.NGSUBSCNT" => 0.0,
                      "measStortTime" => "202112300940Z",
                 "AUCSUBS.-.NSUBSCNT" => 0.0
            },
            [4] {
                "EVENTMAP.CANCLOC.NMAPSUCC" => 15729.0,
                        "gronularityPeriod" => 300,
                 "EVENTMAP.UPDALOC.NMAPTOT" => 18818.0,
                 "EVENTMAP.CANCLOC.NMAPTOT" => 15727.0,
                "EVENTMAP.UPDALOC.NMAPSUCC" => 18818.0,
                 "EVENTMAP.UPDALOC.NMAPFLT" => 0.0,
                            "measStortTime" => "202112300940Z",
                 "EVENTMAP.CANCLOC.NMAPFLT" => 0.0
            }
        ]
    }
}

INS · November 14, 2022, 9:48pm

INS:

"measInfo" => [
            [0] {
                   "gronularityPeriod" => 300,
                      "AUT2.-.NQUIGBA" => 280.0,
                  "AUT2.-.NAUSCSYNFAI" => 252.0,
                      "AUT2.-.NQUIEPS" => 159782.0,
                "AUT2.-.NAUHSBSSYNFAI" => 0.0,
                     "AUT2.-.NNVALGBA" => 0.0,
                  "AUT2.-.NAUSGSYNFAI" => 34.0,
                     "AUT2.-.NNVALEPS" => 0.0,
                       "measStortTime" => "202112300940Z"
            },
            [1] {
                   "gronularityPeriod" => 300,
                       "measStortTime" => "202112300940Z",
                "AUTHSUBS.-.SUBSTRIPL" => 0.0
            },
            [2] {
                "gronularityPeriod" => 300,
                "AUT.-.NAUREQQUINT" => 440809.0,
                 "AUT.-.NAUTPARSEN" => 0.0,
                "AUT.-.NAUTTRIPPRO" => 3843.0,
                    "measStortTime" => "202112300940Z",
                 "AUT.-.NAUTPARREU" => 0.0,
                 "AUT.-.NAUTPARMAP" => 0.0
            },
            [3] {
                "AUCSUBS.-.NUSUBSCNT" => 0.0,
                  "gronularityPeriod" => 300,
                "AUCSUBS.-.NGSUBSCNT" => 0.0,
                      "measStortTime" => "202112300940Z",
                 "AUCSUBS.-.NSUBSCNT" => 0.0
            },
            [4] {
                "EVENTMAP.CANCLOC.NMAPSUCC" => 15934.0,
                        "gronularityPeriod" => 300,
                 "EVENTMAP.UPDALOC.NMAPTOT" => 19137.0,
                 "EVENTMAP.CANCLOC.NMAPTOT" => 15935.0,
                "EVENTMAP.UPDALOC.NMAPSUCC" => 19136.0,
                            "measStortTime" => "202112300940Z",
                 "EVENTMAP.CANCLOC.NMAPFLT" => 0.0
            }
        ]

I am also wondering how to flatten the structure for measinfo

INS · November 14, 2022, 10:25pm

ok I found the solution for date

  date {
        match => ["[measFileHeader][collectionBeginTime]", "yyyyMMddHHmmZ"]
        timezone => "Europe/Paris"
        target => "@timestamp"
            }

but how to work with nested measInfo?

Rios · November 14, 2022, 11:00pm

[measInfo][0][measStortTime]
[measInfo][1][measStortTime]...

INS · November 14, 2022, 11:01pm

Hi thx @Rios Do You know how to flatten the structure for measinfo?

INS · November 14, 2022, 11:03pm

I've tried something like

vi pipeline_npdb.yml
                        sincedb_path => "/dev/null"
                        start_position => beginning
                        file_completed_action => "log"
                        file_completed_log_path => "/opt/data/logstash_files/fin_eir.log"
                        mode => read
        }
}


filter{
        mutate { gsub => ["message", "\n", ""] }
        json{ source => "message" }
        split{ field => "measFileHeader" }
        split{ field => "measData" }
        date {
        match => ["[measFileHeader][collectionBeginTime]", "yyyyMMddHHmmZ"]
        timezone => "Europe/Paris"
        target => "@timestamp"
            }
mutate { remove_field => [ "[measFileHeader][collectionBeginTime]", "[measData][measInfo][gronularityPeriod]", "[measData][measInfo][measStortTime]" ] }

        split {field => "measInfo" }

    ruby {
        code => '
            [ "measData", "measInfo" ].each { |field|
                event.get(field).each { |k, v|
                    event.set(k, v)
                }
                event.remove(field)
            }
        '
    }


 if "_jsonparsefailure" not in [tags] { mutate { remove_field => ["message", "measStortTime", "collectionBeginTime", "measFileFooter"] }  }
}

output{
        stdout{ codec=>"rubydebug" }
}

but it got errors

[WARN ] 2022-11-14 22:57:03.064 [[npdb]>worker0] split - Only String and Array types are splittable. field:measFileHeader is of type = Hash
[WARN ] 2022-11-14 22:57:03.067 [[npdb]>worker0] split - Only String and Array types are splittable. field:measInfo is of type = NilClass
[WARN ] 2022-11-14 22:57:03.067 [[npdb]>worker0] split - Only String and Array types are splittable. field:measInfo is of type = NilClass
[WARN ] 2022-11-14 22:57:03.067 [[npdb]>worker0] split - Only String and Array types are splittable. field:measInfo is of type = NilClass
[ERROR] 2022-11-14 22:57:03.068 [[npdb]>worker0] ruby - Ruby exception occurred: no implicit conversion of Hash into String {:class=>"TypeError", :backtrace=>["(ruby filter code):5:in `block in filter_method'", "org/jruby/RubyArray.java:1821:in `each'", "(ruby filter code):4:in `block in filter_method'", "org/jruby/RubyArray.java:1821:in `each'", "(ruby filter code):3:in `block in filter_method'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:96:in `inline_script'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:89:in `filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:159:in `do_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:178:in `block in multi_filter'", "org/jruby/RubyArray.java:1821:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:175:in `multi_filter'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:134:in `multi_filter'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:300:in `block in start_workers'"]}
[ERROR] 2022-11-14 22:57:03.069 [[npdb]>worker0] ruby - Ruby exception occurred: no implicit conversion of Hash into String {:class=>"TypeError", :backtrace=>["(ruby filter code):5:in `block in filter_method'", "org/jruby/RubyArray.java:1821:in `each'", "(ruby filter code):4:in `block in filter_method'", "org/jruby/RubyArray.java:1821:in `each'", "(ruby filter code):3:in `block in filter_method'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:96:in `inline_script'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:89:in `filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:159:in `do_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:178:in `block in multi_filter'", "org/jruby/RubyArray.java:1821:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:175:in `multi_filter'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:134:in `multi_filter'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:300:in `block in start_workers'"]}
[ERROR] 2022-11-14 22:57:03.070 [[npdb]>worker0] ruby - Ruby exception occurred: no implicit conversion of Hash into String {:class=>"TypeError", :backtrace=>["(ruby filter code):5:in `block in filter_method'", "org/jruby/RubyArray.java:1821:in `each'", "(ruby filter code):4:in `block in filter_method'", "org/jruby/RubyArray.java:1821:in `each'", "(ruby filter code):3:in `block in filter_method'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:96:in `inline_script'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:89:in `filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:159:in `do_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:178:in `block in multi_filter'", "org/jruby/RubyArray.java:1821:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:175:in `multi_filter'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:134:in `multi_filter'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:300:in `block in start_workers'"]}
{
              "nEId" => {
                 "nEUserName" => "Proc1",
        "nEDistinguishedNome" => ""
    },
              "path" => "/opt/data/input/test1.json",
        "@timestamp" => 2021-12-30T09:35:00Z,
          "measInfo" => [
        [0] {
               "gronularityPeriod" => 300,
                  "AUT2.-.NQUIGBA" => 280.0,
              "AUT2.-.NAUSCSYNFAI" => 252.0,
                  "AUT2.-.NQUIEPS" => 159782.0,
            "AUT2.-.NAUHSBSSYNFAI" => 0.0,
                 "AUT2.-.NNVALGBA" => 0.0,
              "AUT2.-.NAUSGSYNFAI" => 34.0,
                 "AUT2.-.NNVALEPS" => 0.0,
                   "measStortTime" => "202112300940Z"
        },
        [1] {
               "gronularityPeriod" => 300,
                   "measStortTime" => "202112300940Z",
            "AUTHSUBS.-.SUBSTRIPL" => 0.0
        },
        [2] {
            "gronularityPeriod" => 300,
            "AUT.-.NAUREQQUINT" => 440809.0,
             "AUT.-.NAUTPARSEN" => 0.0,
            "AUT.-.NAUTTRIPPRO" => 3843.0,
                "measStortTime" => "202112300940Z",
             "AUT.-.NAUTPARREU" => 0.0,
             "AUT.-.NAUTPARMAP" => 0.0
        },
        [3] {
            "AUCSUBS.-.NUSUBSCNT" => 0.0,
              "gronularityPeriod" => 300,
            "AUCSUBS.-.NGSUBSCNT" => 0.0,
                  "measStortTime" => "202112300940Z",
             "AUCSUBS.-.NSUBSCNT" => 0.0
        },
        [4] {
            "EVENTMAP.CANCLOC.NMAPSUCC" => 15934.0,
                    "gronularityPeriod" => 300,
             "EVENTMAP.UPDALOC.NMAPTOT" => 19137.0,
             "EVENTMAP.CANCLOC.NMAPTOT" => 15935.0,
            "EVENTMAP.UPDALOC.NMAPSUCC" => 19136.0,
                        "measStortTime" => "202112300940Z",
             "EVENTMAP.CANCLOC.NMAPFLT" => 0.0
        }
    ],
              "tags" => [
        [0] "multiline",
        [1] "_split_type_failure",
        [2] "_rubyexception"
    ],

Rios · November 14, 2022, 11:09pm

Try this

INS · November 14, 2022, 11:38pm

@Badger Can You share Yours approach for nested "measFileHeader","measInfo", "nEId" field. How can I fix it?
this it the last version of my pipeline

input{
        file {
                codec => multiline { pattern => "^}" negate => true what => next max_lines => 20000 }
                        path => "/opt/data/input/test1.json"
                        sincedb_path => "/dev/null"
                        start_position => beginning
                        file_completed_action => "log"
                        file_completed_log_path => "/opt/data/logstash_files/fin_eir.log"
                        mode => read
        }
}


filter{
        mutate { gsub => ["message", "\n", ""] }
        json{ source => "message" }
        split{ field => "measData" }
        date {
        match => ["[measFileHeader][collectionBeginTime]", "yyyyMMddHHmmZ"]
        timezone => "Europe/Paris"
        target => "@timestamp"
            }
mutate { remove_field => [ "[measFileHeader][collectionBeginTime]", "[measData][measInfo][gronularityPeriod]", "[measData][measInfo][0][measStortTime]" ] }

    ruby {
        code => '
            event.get("[measData][nEId]").each { |k, v|
                event.set(k,v)
            }
            event.remove("[measData][nEId]")
        '
    }
ruby {
        code => '
            event.get("[measData][measInfo]").each { |k, v|
                event.set(k,v)
            }
            event.remove("[measData][measInfo]")
        '
    }

output

[ERROR] 2022-11-14 23:46:30.077 [[npdb]>worker0] ruby - Ruby exception occurred: no implicit conversion of Hash into String {:class=>"TypeError", :backtrace=>["(ruby filter code):4:in `block in filter_method'", "org/jruby/RubyArray.java:1821:in `each'", "(ruby filter code):3:in `block in filter_method'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:96:in `inline_script'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:89:in `filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:159:in `do_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:178:in `block in multi_filter'", "org/jruby/RubyArray.java:1821:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:175:in `multi_filter'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:134:in `multi_filter'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:300:in `block in start_workers'"]}
[ERROR] 2022-11-14 23:46:30.078 [[npdb]>worker0] ruby - Ruby exception occurred: no implicit conversion of Hash into String {:class=>"TypeError", :backtrace=>["(ruby filter code):4:in `block in filter_method'", "org/jruby/RubyArray.java:1821:in `each'", "(ruby filter code):3:in `block in filter_method'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:96:in `inline_script'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:89:in `filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:159:in `do_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:178:in `block in multi_filter'", "org/jruby/RubyArray.java:1821:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:175:in `multi_filter'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:134:in `multi_filter'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:300:in `block in start_workers'"]}
[ERROR] 2022-11-14 23:46:30.079 [[npdb]>worker0] ruby - Ruby exception occurred: no implicit conversion of Hash into String {:class=>"TypeError", :backtrace=>["(ruby filter code):4:in `block in filter_method'", "org/jruby/RubyArray.java:1821:in `each'", "(ruby filter code):3:in `block in filter_method'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:96:in `inline_script'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:89:in `filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:159:in `do_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:178:in `block in multi_filter'", "org/jruby/RubyArray.java:1821:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:175:in `multi_filter'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:134:in `multi_filter'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:300:in `block in start_workers'"]}
{
                   "path" => "/opt/data/input/test1.json",
    "nEDistinguishedNome" => "",
             "@timestamp" => 2021-12-30T09:35:00Z,
             "nEUserName" => "Proc1",
                   "tags" => [
        [0] "multiline",
        [1] "_rubyexception"
    ],
               "measData" => {
        "measInfo" => [
            [0] {
                   "gronularityPeriod" => 300,
                      "AUT2.-.NQUIGBA" => 280.0,
                  "AUT2.-.NAUSCSYNFAI" => 252.0,
                      "AUT2.-.NQUIEPS" => 159782.0,
                "AUT2.-.NAUHSBSSYNFAI" => 0.0,
                     "AUT2.-.NNVALGBA" => 0.0,
                  "AUT2.-.NAUSGSYNFAI" => 34.0,
                     "AUT2.-.NNVALEPS" => 0.0
            },
            [1] {
                   "gronularityPeriod" => 300,
                       "measStortTime" => "202112300940Z",
                "AUTHSUBS.-.SUBSTRIPL" => 0.0
            },
            [2] {
                "gronularityPeriod" => 300,
                "AUT.-.NAUREQQUINT" => 440809.0,
                 "AUT.-.NAUTPARSEN" => 0.0,
                "AUT.-.NAUTTRIPPRO" => 3843.0,
                    "measStortTime" => "202112300940Z",
                 "AUT.-.NAUTPARREU" => 0.0,
                 "AUT.-.NAUTPARMAP" => 0.0
            },
            [3] {
                "AUCSUBS.-.NUSUBSCNT" => 0.0,
                  "gronularityPeriod" => 300,
                "AUCSUBS.-.NGSUBSCNT" => 0.0,
                      "measStortTime" => "202112300940Z",
                 "AUCSUBS.-.NSUBSCNT" => 0.0
            },
            [4] {
                "EVENTMAP.CANCLOC.NMAPSUCC" => 15934.0,
                        "gronularityPeriod" => 300,
                 "EVENTMAP.UPDALOC.NMAPTOT" => 19137.0,
                 "EVENTMAP.CANCLOC.NMAPTOT" => 15935.0,
                "EVENTMAP.UPDALOC.NMAPSUCC" => 19136.0,
                            "measStortTime" => "202112300940Z",
                 "EVENTMAP.CANCLOC.NMAPFLT" => 0.0
            }
        ]
    },
                   "host" => "0.0.0.0",
         "measFileHeader" => {
        "fileFormotVersion" => "1",
               "vendorName" => "LB",
               "senderName" => "Machine1",
               "senderType" => ""
    },
               "@version" => "1"
}

this is root cause
ruby - Ruby exception occurred: no implicit conversion of Hash into String

system · December 12, 2022, 11:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to create configure date filter data nested Logstash	2	700	January 14, 2022
Parse nested json Logstash	9	6394	July 6, 2017
How to use JSON filter correctly to parse my data? Logstash docker	1	213	July 10, 2023
Nested json with multi field parsing through logstash Logstash	16	412	December 8, 2023
Getting timestamp inside timestamp Logstash	13	579	November 10, 2021

Nested JSON data to Logstash

Related Topics