Parsing json array with logstash

Webtrend_Inc · December 30, 2020, 6:01am

Our logs have http headers as a json array as shown below

"httpRequest": {
      "httpVersion": "HTTP/1.1",
      "args": "",
      "country": "US",
      "requestId": "1-5fec0c53-78cbd10c4248df7666a62d78",
      "clientIp": "107.xx.yy.zz",
      "uri": "/",
      "httpMethod": "GET",
      "headers": [
        {
          "name": "Host",
          "value": "www.xyz.com"
        },
        {
          "name": "User-Agent",
          "value": "some user agent"
        },
        {
          "name": "Accept",
          "value": "*/*"
        },
        {
          "name": "Accept-Encoding",
          "value": "identity,gzip,deflate"
        }
      ]
    }

In our conf file we have tried this:

filter {
    json {
         source => "message"
         }
   split {
          field => "[httpRequest][headers]"
          }

It works but only 1 header pair is parsed and stored in elastic. I think this is due to the fact that the array keys are not unique for each pair. They are same ("name" and "value") and hence only 1 pair is stored and others are probably being overwritten.

Can this be addressed using filter plugin?

Badger · December 30, 2020, 4:13pm

How do you want to address it? Does this help?

Webtrend_Inc · January 4, 2021, 1:48am

@Badger thanks for the reference. That is exactly what I was looking for and the filter did the trick. The only issue was that the syntax on that reference thread was incorrect. It should be [Request][HeadersFlattened][#{name}]. It was missing square brackets. Other than that it worked perfectly. Thanks.

Badger · January 4, 2021, 2:04am

Oh, yes. logstash used to allow ambiguous field references like "[a]b" but for a couple of years it has insisted upon "[a][b]"

system · February 1, 2021, 2:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.