Parsing multiple static cloudtrail files with json codec

jgwentworth · December 12, 2017, 6:19pm

Hi, I'm running into an issue where I can parse individual cloud trail files but cannot ingest multiple files with the same json structure.

file {
path => "/home/**/*.json"
type => "cloudtrail"
codec => json {
charset => "ASCII"
}
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
if [type] == "cloudtrail" {
json {
source => "message"
}
split {
field => "Records"
}
}
}

jgwentworth · December 14, 2017, 1:11pm

the fix is running this command on your cloud trail files:

cat $filetochange | jq -r -M .Records[] -c >> finaljsonfile.json

system · January 11, 2018, 1:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash cloudtrail codec doesn't work Logstash	3	1558	September 19, 2017
Parsing multiple json in a file Logstash	4	386	May 26, 2022
Best way to ingest JSON files? Logstash	6	1690	July 6, 2017
Ingest multiple json files under a folder Logstash	11	2573	August 8, 2019
.JSON Conf File for Logstash Logstash	20	593	October 23, 2023

Parsing multiple static cloudtrail files with json codec

Related topics