Split of JSON array into multiple events in Kibana

pedro_gonzalez · April 22, 2021, 8:46pm

Hi,

I am trying to split into different events (logs) this log schema:

        "_index": "cocacola",
        "_type": "raw",
        "_id": "CqwJ63MBEQS11DmXsDyRZl",
        "_score": 1,
        "_source": {
          "messageId": 33297111461,
          "eventType": "EntityUpdated",
          "username": "Administrator",
          "timeStamp": "2020-08-13T16:59:50.87Z",
          "data": {
            "name": "Target:1111111",
            "definition": "Target",
            "is_new": null,
            "user_id": null,
            "usergroup_id": null,
            "rules": null,
            "property_changes": [
              {
                "property": "Target.Completed",
                "data_type": "System.DateTime",
                "value": {
                  "original": null,
                  "new": "2020-08-13T16:59:50.8491889Z"
                }
              },
              {
                "property": "Target.State",
                "data_type": "System.String",
                "value": {
                  "original": "good",
                  "new": "very good."
                }
              },
              {
                "property": "Target.State",
                "data_type": "System.String",
                "value": {
                  "original": "Processing_Completed",
                  "new": "Completed"
                }
              }

into something like this:

       "_index": "cocacola",
        "_type": "raw",
        "_id": "CqwJ63MBEQSDmXsDyRZl",
        "_score": 1,
        "_source": {
          "messageId": 33291117461,
          "eventType": "EntityUpdated",
          "username": "Administrator",
          "timeStamp": "2020-08-13T16:59:50.87Z",
          "data": {
            "name": "Target:1111111",
            "definition": "Target",
            "is_new": null,
            "user_id": null,
            "usergroup_id": null,
            "rules": null,
            "property_changes": [
              {
                "property": "Target.Completed",
                "data_type": "System.DateTime",
                "value": {
                  "original": null,
                  "new": "2020-08-13T16:59:50.8491889Z"
                }
              }

and this:

        "_index": "cocacola",
        "_type": "raw",
        "_id": "CqwJ63MBEQSDmXsDyRZl",
        "_score": 1,
        "_source": {
          "messageId": 3329111461,
          "eventType": "EntityUpdated",
          "username": "Administrator",
          "timeStamp": "2020-08-13T16:59:50.87Z",
          "data": {
            "name": "Target:1111111",
            "definition": "Target",
            "is_new": null,
            "user_id": null,
            "usergroup_id": null,
            "rules": null,
            "property_changes": [
{
                "property": "Target.State",
                "data_type": "System.String",
                "value": {
                  "original": "good",
                  "new": "very good."
                }
              }

I am using this but it doesn't work:

input { 
  elasticsearch {
    hosts => ["https://xxxxxxxxxxx"]
    index => "xxxxxxxxx"
    user => "lxxxxxxxxxxxx"
    password => "xxxxxxxxxxx"
    query => '{ "qxxxxxxxxxxx" }}}'
  }
}

filter {
  json {
    source => "message"
  }
  split {
    field => "[data][property_changes]"
  }
   mutate {
    add_field => {
      "[user][name]" => "%{[username]}"
      "[event][id]" => "%{[messageId]}"
      "[event][type]" => "%{[eventType]}"
      "[event][action]" => "%{[data][property_changes][property]}"
    }
    remove_field => ["message"]
   }
}

output {
  elasticsearch {
  hosts => "https://xxxxxxxxxxxxxxxxxxx.xxxxxxxxxx"
  index => "cxxxxxxxxxxx}"
  user => "xxxxxxxxxxx"
  password => "xxxxxxxxxx"
  }
}

I have been checking multiple threads, some of them have a similar case like mine but it doesn't work when I try to adapt it to my situation. I tried something similar to this: Split nested json array

Maybe you can help @magnusbaeck since I have seen you in many threads. Could it work with a ruby plugin?

dadoonet · April 23, 2021, 3:18am

Please refrain from pinging folks directly, this is a forum and anyone that participates might be able to assist you.

BTW I moved your question to #elastic-stack:logstash

Badger · April 23, 2021, 2:24pm

What do you mean by that?

pedro_gonzalez · April 23, 2021, 3:03pm

Hi @Badger,

I meant that when I try to use what you see in that thread adjusted to my code, it doesn't split the "property_changes" as expected.

Having in mind my initial log I would expect this:

1 log

       "_index": "cocacola",
        "_type": "raw",
        "_id": "CqwJ63MBEQS11DmXsDyRZl",
        "_score": 1,
        "_source": {
          "messageId": 33297111461,
          "eventType": "EntityUpdated",
          "username": "Administrator",
          "timeStamp": "2020-08-13T16:59:50.87Z",
          "data": {
            "name": "Target:1111111",
            "definition": "Target",
            "is_new": null,
            "user_id": null,
            "usergroup_id": null,
            "rules": null,
            "property_changes": [
              {
                "property": "Target.Completed",
                "data_type": "System.DateTime",
                "value": {
                  "original": null,
                  "new": "2020-08-13T16:59:50.8491889Z"
                }
              }

2 log

       "_index": "cocacola",
        "_type": "raw",
        "_id": "CqwJ63MBEQS11DmXsDyRZl",
        "_score": 1,
        "_source": {
          "messageId": 33297111461,
          "eventType": "EntityUpdated",
          "username": "Administrator",
          "timeStamp": "2020-08-13T16:59:50.87Z",
          "data": {
            "name": "Target:1111111",
            "definition": "Target",
            "is_new": null,
            "user_id": null,
            "usergroup_id": null,
            "rules": null,
            "property_changes": [
              {
                "property": "Target.State",
                "data_type": "System.String",
                "value": {
                  "original": "Processing_Completed",
                  "new": "Completed"
                }
              }

3 log

       "_index": "cocacola",
        "_type": "raw",
        "_id": "CqwJ63MBEQS11DmXsDyRZl",
        "_score": 1,
        "_source": {
          "messageId": 33297111461,
          "eventType": "EntityUpdated",
          "username": "Administrator",
          "timeStamp": "2020-08-13T16:59:50.87Z",
          "data": {
            "name": "Target:1111111",
            "definition": "Target",
            "is_new": null,
            "user_id": null,
            "usergroup_id": null,
            "rules": null,
            "property_changes": [
              {
                "property": "Target.State",
                "data_type": "System.String",
                "value": {
                  "original": "Processing_Completed",
                  "new": "Completed"
                }
              }

and I end up having only the number 1 and 3. The second log is not shown in Kibana.

Badger · April 23, 2021, 3:23pm

If some events are being indexed but others are not then I would suspect a mapping exception. For example, if dynamic mapping decided that a particular field should be a date then any event where it was not a date would be rejected, and logstash would log an exception. I do not think that would happen for "[property_changes][value][new]" being "2020-08-13T16:59:50.8491889Z" because that is not a date format that elasticsearch would auto-detect, but it is worth looking at the logstash logs.

pedro_gonzalez · April 25, 2021, 3:17pm

You are right @Badger. That should be the problem. Before making any change in the mapping, how can I set up a determined field to contain multiple data types? For example, "value.new" can contain a string sometimes or it can be a date.

Thanks for your feedback. Really helpful.

Badger · April 25, 2021, 3:26pm

A field in elasticsearch can only have one type. value.new would have to be a string. If dynamic mapping gets that wrong you would have to use a template to set the type.

pedro_gonzalez · April 25, 2021, 5:55pm

The limitation I have is that sometimes this field "value.new" contains a date or a string or a number so according to what I have been reading I cannot do too much on adjusting it to each data type.

Thank you @badger.

system · May 23, 2021, 5:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to split array field in json and send it as separate event Logstash	3	334	October 3, 2019
Split Json Array Objects Logstash	9	1777	April 15, 2020
Logstash and JSON array split [SOLVED] Logstash	11	31683	July 6, 2017
Splitting an array of objects using Logstash Logstash	3	122	January 8, 2024
Split JSON into several events Logstash	5	387	July 6, 2021

Split of JSON array into multiple events in Kibana

Related Topics