Parsing nested arrays in json objects

I'm trying to parse lines of json from Filebeat log files to Logstash to Elasticstack.

The problem I'm having is that some of these lines contains nested arrays in json objects.

Here's a sample (prettified):

  "EventTime": "2018-11-15T16:47:37.8053627+00:00",
  "ThreadId": 46,
  "LogEntryType": "Info",
  "Context": "Application.Sample",
  "MeaningCode": "LOGIN",
  "UserId": 13,
  "LoggedObjects": [
      "ExternalSystemVersion": "Sample Ext",
      "Extension": "0",
      "UnderlyingTask": ".",
      "CurrentTask": "Sample",
      "UserName": "User",
      "TaskManagerId": "eed19b9a-47b4-42f3-ac83-38f6e5a27fef"
  "LoggedException": null

The array here being 'LoggedObjects'.

In the logstash config I've tried using the json filter like:

input {
  beats {
    port => 5044
    codec => "json"

filter {
  if ([LogEntryType] =~ "Info") {
    json {
      source => "LoggedObjects"
      target => "log"

But I get an exception:
:exception=>java.lang.ClassCastException: org.jruby.RubyArray cannot be cast to org.jruby.RubyIO

With the current versions of Filebeat and Logstash (6.5) what is the best way to deserialize(?) this so that they appear as separate fields in Kibana and not just one object?


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.