Split json

JPelastic · March 25, 2020, 7:21am

Problem is basic: I just don't understand how split/mutate works.
I got nested json data from an elastic source that I want to flatten into a new elastic target (for context).

Data:

    ....
    "artikel" => {
          "gTIN" => "04011395096406",
          "artikelcodeLeverancier" => "0517797",
          "artikelcodeAfnemer" => ""
    },
    ....

and logstash .conf

json {
		source => "artikel"
	}
	split {
		field => "artikel"
	}
	mutate {
		add_field => {
			"gtin" => "%{artikel}"
		}
		remove_field => [ "artikel" ]
	}

Result looks like this (output to stdout). I believe the gtin field now contains json - how do I only get the gtin?

    ....
    "verzenderAdresStraat" => "Bovenkerkerweg 10-12",
    "gtin" => "{\"artikelcodeAfnemer\":\"\",\"artikelIdentificatie\":[{\"promotieVariantcode\":\"\",\"artikelomschrijving\":\"BJ WCD 1V RA 2300EAPJ MP AP\",\"nadereIdentificerendeKenmerken\":\"\",\"artikelStatistiekcode\":\"\"}],\"gTIN\":\"04011395090176\",\"artikelcodeLeverancier\":\"3926698\"}",
    "partijnummer" => "",
    ...

Badger · March 25, 2020, 3:39pm

The split filter can operate on an array or a string, and [artikel] is neither one. It should just log an error and not do anything.

To reference a field inside [artikel] you can use

mutate { add_field => { "gtin" => "%{[artikel][gTIN]}" } }

system · April 22, 2020, 3:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Split nested json array from log Logstash	13	3994	May 18, 2020
Logstash Mutate Split doesn't work Logstash	3	714	August 14, 2018
Problem when splitting a nested JSON array Elasticsearch	5	705	May 20, 2021
How to split JSON nested arrays? Logstash	3	1164	May 14, 2018
Trying to access nested json in logstash mutate filter Logstash	10	20523	July 6, 2017

Split json

Related topics