Parse any field that has a specific name

baselai · August 9, 2019, 6:20pm

Is it possible to parse any field in Json, under any root, that has a unix time format?
I might have in my json file this field
"timestamp": 1554940800000
it might be at any root in the json, with this naming convention of the filed might contain timestamp as name value

right now I'm parsing it using a hardcoded path because I know where that field is in the json, but I need to generalize it, also process all fields if there is more that one.

filter {
  date {
        match => [ "[body][resource][value][timestamp]", "UNIX_MS" ]
        target => "[body][resource][value][timestamp]"
  }
}

Badger · August 9, 2019, 6:30pm

Do you want the timestamp field overwritten with the parsed date?

baselai · August 9, 2019, 6:32pm

@Badger Yes, as you can see that I'm parsing that specific field using match and target, but it might be at any root/level and the json might have more than one field with that unix value to be parsed. If there is more than one field they'll all contain the value timestamp in their name at somehow.

Badger · August 9, 2019, 6:52pm

Will you be flattening the JSON with the script I posted yesterday? That greatly simplifies things.

baselai · August 9, 2019, 6:54pm

@Badger yes exactly, I'll be flattening the json using the ruby script you posted.

Badger · August 9, 2019, 6:58pm

Then you can use

    ruby {
        code => '
            event.to_hash.each { |k, v|
                if k =~ /(^|\.)timestamp$/ and v.to_s.to_i == v
                    event.set(k, LogStash::Timestamp.new(Time.at(v/1000)))
                end
            }
        '
    }

which will produce

      "body.input.value.timestamp" => 2019-04-11T00:00:00.000Z,

baselai · August 9, 2019, 7:13pm

@Badger it didn't work when there is two fields timestamp1 and timestamp2, the ruby code can't detect the field if there is characters after the timestamp value and also when the fields names are 1timestamp 2timestamp

Badger · August 9, 2019, 7:55pm

You could change the regexp that is matching the field name. What do you mean by 'characters after the timestamp value'?

baselai · August 9, 2019, 7:56pm

if I have test_timestamp or 1_timestamp etc..
I solved it by adding the .* anchor:

event.to_hash.each { |k, v|
                if k =~ /(^|\.).*timestamp.*$/ and v.to_s.to_i == v
                    event.set(k, LogStash::Timestamp.new(Time.at(v/1000)))
                end
            }

system · September 6, 2019, 7:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parse specific field when JSON filter failed Logstash	2	233	June 21, 2022
Date filter can't read from fieldnames which contain dots (created by the JSON filter) Logstash	3	712	May 14, 2020
Parse UNIX timestamp as human readable date while moving the data into elasticsearch Logstash	3	1113	February 4, 2019
Logstash Json filter re-formated the @timestamp field unexpectedly Logstash	6	1497	July 13, 2020
Logstash regex option for match settings! Logstash	2	1034	July 6, 2017

Parse any field that has a specific name

Related topics