Parse json with multiple lists to different events

Hi all,

I'm trying to parse a json I get from an API which contains several lists of objects, which I would like to parse each object of each list to a different event.

{
   "Time":"XXXXX",
   "listA":[ ],
   "listB":[ ],
   "listC":[ ],
   "listD":[ ]
}

I've been playing with split filter, but what I get is 1 event with one object of each list:

input {
    XXXX
}
filter {
  json {
    source => "message"
  }
  split { 
    field => "listA"
  }
  split { 
    field => "listB"
  }
}
output {
    stdout {
        codec => rubydebug
    }
}

result event:

{
   "@timestamp":"2020-04-01T06:52:42.224Z",
   "objectA":{},
   "objectB":{},
}

What I would like to get are 2 different events:

{
   "@timestamp":"2020-04-01T06:52:42.224Z",
   "objectB":{}
}

{
   "@timestamp":"2020-04-01T06:52:42.224Z",
   "objectA":{}
}

Any idea how can I do this?

Thanks!

Create an array containing the list of lists and split that, then split each array within it.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.