Hello,
I'm trying to split JSON using the split filter in Logstash, but with no success.
This data is coming straight from an API and then forwarded to the filter in Logstash.
The structure of the JSON is the following:
"InfrastructureInfo": {
"LastAnalyzedOn": "Timestamp"
},
"Applications": [
{
"GUID": "App_GUID",
"Name": "App_Name",
"LevelGUID": "Level_GUID",
"Findings": [
{
"CategoryGUID": "Cat_ID",
"PatternGUID": "Pat_ID",
"Count": 1
}
],
"Modules": [
{
"GUID": "GUID",
"Name": "Name",
"LevelGUID": "Level_GUID",
"Findings": [
{
"CategoryGUID": "Cat_ID",
"PatternGUID": "Pat_ID",
"Count": 14
},
{
"CategoryGUID": "Cat_ID",
"PatternGUID": "Pat_ID",
"Count": 13
}
]
},
{
"GUID": "GUID",
"Name": "Name",
"LevelGUID": "Level_GUID",
"Findings": [
{
"CategoryGUID": "Cat_ID",
"PatternGUID": "Pat_ID",
"Count": 2
}
]
}
]
},
{
"GUID": "Next_App_GUID",
"Name": "Next_App_Name",
"LevelGUID": "Next_Level_GUID",
...
}
],
,
"Page": {
"Limit": 200
}
So, the JSON contains multiple Applications, each Application has one or more Modules, and every module has an array of one or more Findings.
I would like the result to be someting like:
"Application_name": "App_Name",
"Module_name": "Mod_name",
"Finding_pattern": "Pat_ID"
"Finding_pattern_count": 1
Per found pattern in a module in an application.
I've tried about every post on here but can't get my Logstash to work, currently i have this as the Logstash filter configuration:
filter {
split { field => "[Applications]" }
split { field => "[Applications][Modules][Findings]" }
}
But it keeps giving me the message
Only String and Array types are splittable. field:[Applications][Modules][Findings] is of type = NilClass
Can someone tell me what the issue is?