Our logs have http headers as a json array as shown below
"httpRequest": {
"httpVersion": "HTTP/1.1",
"args": "",
"country": "US",
"requestId": "1-5fec0c53-78cbd10c4248df7666a62d78",
"clientIp": "107.xx.yy.zz",
"uri": "/",
"httpMethod": "GET",
"headers": [
{
"name": "Host",
"value": "www.xyz.com"
},
{
"name": "User-Agent",
"value": "some user agent"
},
{
"name": "Accept",
"value": "*/*"
},
{
"name": "Accept-Encoding",
"value": "identity,gzip,deflate"
}
]
}
In our conf file we have tried this:
filter {
json {
source => "message"
}
split {
field => "[httpRequest][headers]"
}
It works but only 1 header pair is parsed and stored in elastic. I think this is due to the fact that the array keys are not unique for each pair. They are same ("name" and "value") and hence only 1 pair is stored and others are probably being overwritten.
Can this be addressed using filter plugin?