Parsing nested JSON fields to separate fields

ottramst · September 25, 2020, 11:40am

Hello everyone!

I need to create a Logstash configuration that allows me to parse nested JSON fields to single fields.

Input event looks like this:

{
	"cloud": {
		"instance": {
			"id": "XXXX"
		},
		"machine": {
			"type": "t3a.large"
		},
		"provider": "aws",
		"availability_zone": "eu-central-1a",
		"region": "eu-central-1",
		"account": {
			"id": "XXXX"
		},
		"image": {
			"id": "XXXX"
		}
	}
}

And the output I would like to have is to have every nested value parsed to fields along with parent field names included in the final field name like so:

"cloud_instance_id" => "XXX"
"cloud_machine_type" => "XXX"

I have tried with just using the add_field filter and creating a new field using the value like so:

mutate {
  add_field => {
    "cloud_account_id" => "%{[cloud][account][id]}"
  }
}

But I'm looking to find out if there is a way to do this by using the Ruby filter and creating a reusable script with input parameters.

Any help is appreciated!

Badger · September 25, 2020, 2:06pm

See this answer.

ottramst · September 25, 2020, 2:51pm

Thank you! Case closed.

system · October 23, 2020, 2:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash - ruby script to create array of nested fields Logstash	2	2111	October 17, 2019
Best Way to create nested field Logstash	10	21026	July 6, 2017
Trying to access nested json in logstash mutate filter Logstash	10	20523	July 6, 2017
How to create fields from nested fields for json data in logstash Logstash	9	726	July 31, 2020
How to parse nested json through logstash Logstash	8	719	July 16, 2020

Parsing nested JSON fields to separate fields

Related topics