Parsing dictionary into json file

saisimo02 · July 19, 2019, 11:49am

Hello,

I would like to parse a json file, my file looks like that:

file={"id":"*******","name":"test","alarm":{"error":2,"warning":3}}

using this filter:

json {
            source => "message"

    }

I get only these fields: "alarm.error" and "alaram.warning"

I would like to get this field: alarm, then in kibana I can select which level of alarm ("error","warning"...) and show the value of each level.

I tried to use split but I don't think we can split a dictionary.

Thank your for your help

Badger · July 19, 2019, 12:39pm

What you have is an alarm object that contains warning and error fields. In kibana that will show up as alarm.error and alarm.warning

      "name" => "test",
     "alarm" => {
    "warning" => 3,
      "error" => 2
},
        "id" => "*******",

saisimo02 · July 19, 2019, 1:07pm

Yes, but what I would like to have is a new filter named for example alarmLevel and inside there is the level : warning, error, info...
the desired output is

 {"name" => "test",
 "alarmlevel" => "warning",
 "alarmValue"=>3,
 "id" => "*******"},
{"name" => "test",
     "alarmlevel" => "error",
     "alarmValue"=>2,
     "id" => "*******"}

Badger · July 19, 2019, 1:18pm

You could try this

    ruby {
        code => '
            a = []
            event.get("alarm").each { |k, v|
                h = Hash.new
                h["alarmLevel"] = k
                h["alarmValue"] = v
                a << h
            }
            event.remove("alarm")
            event.set("alarm", a)
        '
    }
    split { field => "alarm" }

If you need to then move the contents of alarm to the root level look at this.

luc1 · July 22, 2019, 7:52am

Hello Badger,

This gives me the following Error:
Ruby exception occured : undefined method 'each' for NilClass.

Which means the class 'alarm' doesn't exist right ?

Badger · July 22, 2019, 11:58am

Correct.

luc1 · July 22, 2019, 12:05pm

"alarmMetadata":{"criticalAlarmCount":29,"majorAlarmCount":0,"minorAlarmCount":6,"warningAlarmCount":0}

If we added "[ ]" at the beginning and the end of the value of alarmMetadata with logstash, would it create the field "alarmMetadata" ? So the dictionary turns into a list..

Badger · July 22, 2019, 12:10pm

That would be {}, not

    mutate { gsub => [ "message", "^", "{", "message", "$", "}" ] }
    json { source => "message" }

will result in

"alarmMetadata" => {
    "criticalAlarmCount" => 29,
       "minorAlarmCount" => 6,
     "warningAlarmCount" => 0,
       "majorAlarmCount" => 0
},

luc1 · July 22, 2019, 12:35pm

Thanks a lot

system · August 19, 2019, 12:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.