Split field in a json event

golauty · January 22, 2016, 12:44pm

Hi all,

how can i split a field in a nested JSON Event?

Following message arrives:

"_index": "logstash-2016.01.22",
  "_type": "jenkins",
  "_id": "AVJo32hNLCqC9e2Mq6d2",
  "_score": null,
  "_source": {
    "data": {
      "id": "1092",
      "projectName": "Run_Single__suite",
      "displayName": "#1092",
      "fullDisplayName": "Run_Single_suite #1092",
      "url": "job/Run_Single_suite/1092/",
      "buildHost": "Jenkins",
      "buildLabel": "master",
      "buildNum": 1092,
      "buildDuration": 1,
      "rootProjectName": "Run_Single_suite",
      "rootProjectDisplayName": "#1092",
      "rootBuildNum": 1092,
      "buildVariables": {
        "target_SUT": "0101",
        "report_warnings": "false",
        "product": "XXXX",
        "testsuite": "TeamZXZ\\vol.tcs.assortment",
        "qft_version": "current",
        "target_task": "t-0426",
        "branch": "branches/7.1",
        "testcase": "",
        "revision": "HEAD",
        "node": "xxxxxxx",
        "client": "xxxxx",
        "run_specific_test": "false",
        "user": "xxxxxr"
      }
    }

Now i want to split the field testsuite in two fields with the name teamname and testsuite.
How can i do that?
I tried with:

mutate 
{
            split => {"[_source][data][buildVariables][testsuite]" => "\\"}
            add_field => { "teamname" => "%{[_source][data][buildVariables][testsuite][0]}" }
            add_field => { "testsuite" => "%{[_source][data][buildVariables][testsuite][1]}" }
}

magnusbaeck · January 23, 2016, 4:59pm

Remove [_source] from the field references. Otherwise what you're doing should work. Another way would be to use the grok filter.