Hello!
I'm trying to load some data from an ES index (using Elasticsearch input plugin), parse some of its fields with grok filter and load them back into another ES index. I can't seem to find a way to access a particular field in my input event.
The event doesn't contain tha 'message' field, just a JSON that ES query returned (but not as a string).
Any suggestions on how to approach this?
What does your current json look like along with your current config.
--
Niraj
Hello!
My JSON looks like this:
{ "createdByName": "jharrison29", "Company": "The Company", "assetCategory": "Prestige", "SectorCategoryToAsset": "\\Beauty Care,\\Beauty Care\\Skin and Personal Care", "Product": [ { "subbrand": null, "subsector": null, "subsubbrand": "N/A", "fpc_id": 80317569, "segment": null, "category": "Personal Power", "sector": null, "brand": "Somebrande" }, { "subbrand": null, "subsector": null, "subsubbrand": "N/A", "fpc_id": 87448895, "segment": null, "category": "Pet Care", "sector": null, "brand": "Somebrand" } ], "asset_id": 16515969, "AssetStatus": "\\Final", "assetTypeGrouping": "marketing assets", "ModifiedDate": "4/8/2016", "targetDefinition": "M.Asset", "AssetView": "Front", "assetgeography": [ { "country": "FR", "region": "EMEA" }, { "country": "PL", "region": "EMEA" } ], "FileExtension": "\\other", "@version": "1", "assetagency": [ { "agency_name": "\\DMG" }, { "agency_name": "\\Proximity" } ], "timestamp": "2016-01-15T17:51:30Z", "assetBrand": "Glycerine Non-Kosher Crude", "eventType": "DirectDownloadCompleted", "InformationSecurityClassification": "\\zzzUnassigned", "tags": [], "AssetType": "\\Demo\\Animation", "@timestamp": "2016-12-15T15:12:08.512Z", "ModifiedByName": "pcollins29", "isTemplate": "True", "CreatedDate": "7/23/2016", "usergroup": [ { "group_name": "Power Editors All Facets" } ], "DeploymentLevel": "Product Research", "order_id": 82, "user": { "Employee_Type": "Non-employee", "Email": "abanks29@census.gov", "HR_Country": "US", "Username": "lrivera29@biglobe.ne.jp", "HR_Region": "NA", "HR_Function": "Marketing" }, "usergroup_group_name": "\\Everyone\\Sector/Category Skin and Personal Care : 378587\\Skin and Personal Care Business Consumers", "GeographyToAsset": "\\CANADA GROUP\\CANADA,\\OTHER NA GROUP\\PUERTO RICO,\\US GROUP\\UNITED STATES" } }
The config file looks like this:
input { elasticsearch { hosts => "<my_ip>:9200" index => "index1" query => '{ "query": { "query_string": { "fields": ["_id"], "query": "AVjfAZ_kuIdmMA_mhSxU" } } }' } }
filter { grok { patterns_dir => ["/etc/logstash/patterns"] match => { "usergroup_group_name" => [ "%{CATEGORY:business_consumer_category} Business Consumers", "%{CATEGORY:power_editor_category} Power Editors", "%{CATEGORY:business_admin_category} Business Admins"] } add_field => { "user_permissions.public_category" => "All Assets" "user_permissions.business_consumer_category" => "%{business_consumer_category}" "user_permissions.power_editor_category" => "%{power_editor_category}" "user_permissions.business_admin_category" => "%{business_admin_category}" } break_on_match => false } }
output { elasticsearch { hosts => ["<myip>:9200"] index => "grok_test" codec => "json" } }
The CATEGORY pattern looks like this:
CATEGORY [a-zA-Z ]+
I got this to work. No need for further debugging. Thanks!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.