Discuss the Elastic Stack

Parse json with multiple lists to different events

Elastic Stack Logstash

aleixsb (Aleix) April 1, 2020, 6:59am 1

Hi all,

I'm trying to parse a json I get from an API which contains several lists of objects, which I would like to parse each object of each list to a different event.

{
   "Time":"XXXXX",
   "listA":[ ],
   "listB":[ ],
   "listC":[ ],
   "listD":[ ]
}

I've been playing with split filter, but what I get is 1 event with one object of each list:

input {
    XXXX
}
filter {
  json {
    source => "message"
  }
  split { 
    field => "listA"
  }
  split { 
    field => "listB"
  }
}
output {
    stdout {
        codec => rubydebug
    }
}

result event:

{
   "@timestamp":"2020-04-01T06:52:42.224Z",
   "objectA":{},
   "objectB":{},
}

What I would like to get are 2 different events:

{
   "@timestamp":"2020-04-01T06:52:42.224Z",
   "objectB":{}
}

{
   "@timestamp":"2020-04-01T06:52:42.224Z",
   "objectA":{}
}

Any idea how can I do this?

Thanks!

Badger April 1, 2020, 3:18pm 2

Create an array containing the list of lists and split that, then split each array within it.

system (system) Closed April 29, 2020, 3:18pm 3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

© 2020. All Rights Reserved - Elasticsearch

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.