Discuss the Elastic Stack

Parse json with multiple lists to different events

Elastic Stack Logstash

aleixsb (Aleix) April 1, 2020, 6:59am 1

Hi all,

I'm trying to parse a json I get from an API which contains several lists of objects, which I would like to parse each object of each list to a different event.

{
   "Time":"XXXXX",
   "listA":[ ],
   "listB":[ ],
   "listC":[ ],
   "listD":[ ]
}

I've been playing with split filter, but what I get is 1 event with one object of each list:

input {
    XXXX
}
filter {
  json {
    source => "message"
  }
  split { 
    field => "listA"
  }
  split { 
    field => "listB"
  }
}
output {
    stdout {
        codec => rubydebug
    }
}

result event:

{
   "@timestamp":"2020-04-01T06:52:42.224Z",
   "objectA":{},
   "objectB":{},
}

What I would like to get are 2 different events:

{
   "@timestamp":"2020-04-01T06:52:42.224Z",
   "objectB":{}
}

{
   "@timestamp":"2020-04-01T06:52:42.224Z",
   "objectA":{}
}

Any idea how can I do this?

Thanks!

Badger April 1, 2020, 3:18pm 2

Create an array containing the list of lists and split that, then split each array within it.

system (system) Closed April 29, 2020, 3:18pm 3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views	Activity
Parsing JSON input with multiple arrays as events Logstash	7	948	September 21, 2020
Logstash - split array into individual events Logstash	7	6358	June 16, 2019
Split JSON into several events Logstash	5	390	July 6, 2021
How to split a JSON array inside an object Logstash	2	9243	July 6, 2017
Create new records from old one Logstash	8	409	January 12, 2022

© 2020. All Rights Reserved - Elasticsearch

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.