Discuss the Elastic Stack

Parse json with multiple lists to different events

Elastic Stack Logstash

aleixsb (Aleix) April 1, 2020, 6:59am 1

Hi all,

I'm trying to parse a json I get from an API which contains several lists of objects, which I would like to parse each object of each list to a different event.

{
   "Time":"XXXXX",
   "listA":[ ],
   "listB":[ ],
   "listC":[ ],
   "listD":[ ]
}

I've been playing with split filter, but what I get is 1 event with one object of each list:

input {
    XXXX
}
filter {
  json {
    source => "message"
  }
  split { 
    field => "listA"
  }
  split { 
    field => "listB"
  }
}
output {
    stdout {
        codec => rubydebug
    }
}

result event:

{
   "@timestamp":"2020-04-01T06:52:42.224Z",
   "objectA":{},
   "objectB":{},
}

What I would like to get are 2 different events:

{
   "@timestamp":"2020-04-01T06:52:42.224Z",
   "objectB":{}
}

{
   "@timestamp":"2020-04-01T06:52:42.224Z",
   "objectA":{}
}

Any idea how can I do this?

Thanks!

Badger April 1, 2020, 3:18pm 2

Create an array containing the list of lists and split that, then split each array within it.

Topic		Replies	Views	Activity
Create new records from old one Logstash	8	483	January 12, 2022
Logstash and JSON array split Logstash	5	390	October 16, 2020
Split JSON into several events Logstash	5	524	July 6, 2021
Split json object into multiple Events for ES Logstash	3	552	November 19, 2019
Logstash filter split array of json into individual objects Logstash	5	301	February 28, 2023

© 2020. All Rights Reserved - Elasticsearch

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.