I've been trying to ingest audit cloud logs, and they contain multiple arrays of objects. It's a mess. I've been trying to use the split module in Logstash, but I'm not sure if this is the best way of doing it.
I search for the field existence first, and if the filed exist, I'll split. Is there a better way of doing it?
filter {
if [protoPayload][request][disks] {
split { field => "[protoPayload][request][disks]" }
split { field => "[protoPayload][request][labels]" }
split { field => "[protoPayload][request][networkInterfaces]" }
split { field => "[protoPayload][request][serviceAccounts]" }
split { field => "[protoPayload][authorizationInfo]" }}
else if [protoPayload][response][error][errors] {
split { field => "[protoPayload][response][error][errors]" }
split { field => "[protoPayload][authorizationInfo]" }}
else if [protoPayload][request][instances] {
split { field => "[protoPayload][request][instances]" }
split { field => "[protoPayload][authorizationInfo]" }}
else if [protoPayload][request][change][additions] {
split { field => "[protoPayload][request][change][additions]" }
split { field => "[protoPayload][response][change][additions]" }
split { field => "[protoPayload][authorizationInfo]" }}
else if [protoPayload][request][pathMatchers] {
split { field => "[protoPayload][request][pathMatchers]" }
split { field => "[protoPayload][request][hostRules]" }
split { field => "[protoPayload][authorizationInfo]" }}
else if [protoPayload][resourceOriginalState][alloweds] {
split { field => "[protoPayload][resourceOriginalState][alloweds]" }
split { field => "[protoPayload][request][alloweds]" }
split { field => "[protoPayload][authorizationInfo]" }}
else if [protoPayload][request][backends] {
split { field => "[protoPayload][request][backends]" }
split { field => "[protoPayload][authorizationInfo]" }}
else if [protoPayload][authorizationInfo] {
split { field => "[protoPayload][authorizationInfo]" }}
}
This seems like never ending job. Any suggestions?