Parsing nested arrays in json objects


#1

I'm trying to parse lines of json from Filebeat log files to Logstash to Elasticstack.

The problem I'm having is that some of these lines contains nested arrays in json objects.

Here's a sample (prettified):

{
  "EventTime": "2018-11-15T16:47:37.8053627+00:00",
  "ThreadId": 46,
  "LogEntryType": "Info",
  "Context": "Application.Sample",
  "MeaningCode": "LOGIN",
  "UserId": 13,
  "LoggedObjects": [
    {
      "ExternalSystemVersion": "Sample Ext",
      "Extension": "0",
      "UnderlyingTask": ".",
      "CurrentTask": "Sample",
      "UserName": "User",
      "TaskManagerId": "eed19b9a-47b4-42f3-ac83-38f6e5a27fef"
    }
  ],
  "LoggedException": null
}

The array here being 'LoggedObjects'.

In the logstash config I've tried using the json filter like:

input {
  beats {
    port => 5044
    codec => "json"
  }
}

filter {
  if ([LogEntryType] =~ "Info") {
    json {
      source => "LoggedObjects"
      target => "log"
    }
  }
}

But I get an exception:
:exception=>java.lang.ClassCastException: org.jruby.RubyArray cannot be cast to org.jruby.RubyIO

With the current versions of Filebeat and Logstash (6.5) what is the best way to deserialize(?) this so that they appear as separate fields in Kibana and not just one object?

Thanks
Alex