Split json

JPelastic · March 25, 2020, 7:21am

Problem is basic: I just don't understand how split/mutate works.
I got nested json data from an elastic source that I want to flatten into a new elastic target (for context).

Data:

    ....
    "artikel" => {
          "gTIN" => "04011395096406",
          "artikelcodeLeverancier" => "0517797",
          "artikelcodeAfnemer" => ""
    },
    ....

and logstash .conf

json {
		source => "artikel"
	}
	split {
		field => "artikel"
	}
	mutate {
		add_field => {
			"gtin" => "%{artikel}"
		}
		remove_field => [ "artikel" ]
	}

Result looks like this (output to stdout). I believe the gtin field now contains json - how do I only get the gtin?

    ....
    "verzenderAdresStraat" => "Bovenkerkerweg 10-12",
    "gtin" => "{\"artikelcodeAfnemer\":\"\",\"artikelIdentificatie\":[{\"promotieVariantcode\":\"\",\"artikelomschrijving\":\"BJ WCD 1V RA 2300EAPJ MP AP\",\"nadereIdentificerendeKenmerken\":\"\",\"artikelStatistiekcode\":\"\"}],\"gTIN\":\"04011395090176\",\"artikelcodeLeverancier\":\"3926698\"}",
    "partijnummer" => "",
    ...

Badger · March 25, 2020, 3:39pm

The split filter can operate on an array or a string, and [artikel] is neither one. It should just log an error and not do anything.

To reference a field inside [artikel] you can use

mutate { add_field => { "gtin" => "%{[artikel][gTIN]}" } }

system · April 22, 2020, 3:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.