Problem when splitting a nested JSON array

pedro_gonzalez · April 21, 2021, 3:34pm

Hi,

I have seen multiple thread talking about this problem but with some differences. I have the following log schema:

"messageId": 123,
"timestamp": "2020-09-14T03:35:37",
"extra": {
    "name": "typefood",
    "food_changes": [ {
         "property": "coca",
         "data_type": "experience"},
          {"property": "tea",
          "data_type": "amazing"
          }
    ]

I would like to get what you can see on "food_changes" splitted into two different logs like this outcome:

    "message.id": 123,
    "timestamp": "2020-09-14T03:35:37",
    "extra.name": "typefood"
    "extra.food_changes.property": "coca"
    "extra.food_changes.data_type": "experience"

    "message.id": 123,
    "timestamp": "2020-09-14T03:35:37",
    "extra.name": "typefood"
    "extra.food_changes.property": "tea"
    "extra.food_changes.data_type": "amazing"

What I am trying is:
filter {
json {
source => "message"
}
split {
field => "[extra][food_changes]"
}
mutate {
add_field =>
"[message][id]" => "%{[messageid]}

}

But it only shows in Kibana the fields for the first log...

"messageid": 123,
"timestamp": "2020-09-14T03:35:37",
"extra.name": "typefood"
"extra.food_changes.property": "coca"
"extra.food_changes.data_type": "experience"

not for the second log...

"messageid": 123,
"timestamp": "2020-09-14T03:35:37",
"extra.name": "typefood"
"extra.food_changes.property": "tea"
"extra.food_changes.data_type": "amazing"

Can someone please give me some insight?

leandrojmp · April 21, 2021, 3:41pm

What is your full logstash pipeline? Are you setting document_id to something or are you letting elasticsearch set the document id?

pedro_gonzalez · April 21, 2021, 4:57pm

Hi Leandro,

@leandrojmp . Yes, I am letting elasticsearch to set the document id.

with "full logstash pipeline", do you mean the logstash.yml or where my config to ingest the logs I pasted before is?

leandrojmp · April 21, 2021, 8:40pm

Your full pipeline configuration, you shared only part of it, you need to share the complete pipeline with the inputs, filters and outputs.

pedro_gonzalez · April 22, 2021, 5:59pm

Hi @leandrojmp,

Thank you very much for your willingness to help. I made some changes compared to what I saw here and it worked. The problem of my real log schema is that it has few nested JSON arrays at different levels that's why it was a bit more complex than what you can see here:

Thank you Leandro again.

system · May 20, 2021, 5:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Split nested json array from log Logstash	13	4081	May 18, 2020
Json array splitting in logstash Logstash	11	5943	May 11, 2017
Help to handle the nested JSON array Logstash	4	425	September 13, 2019
Split of JSON array into multiple events in Kibana Logstash	8	938	May 23, 2021
Parse/split nested single JSON array in Logstash Logstash	5	1917	February 22, 2017

Problem when splitting a nested JSON array

Related topics