Split - Only String and Array types are splittable. field:[value] is of type = NilClass

exilemirror · December 27, 2019, 8:11am

Hi I'm trying to filter a JSON file extracted from Microsoft Graph API.
JSON file content below.

{
"@odata.context": "https://microsoft.com",
"value": [
{
"currentScore": 203.0,
"maxScore": 802.0,
"createdDateTime": "2019-12-26T00:00:00Z"
},
{
"currentScore": 203.0,
"maxScore": 802.0,
"createdDateTime": "2019-12-25T00:00:00Z"
}
]
}

Having issue pulling out the currentScore, maxScore & createdDateTime data. Getting split - Only String and Array types are splittable. field:[value] is of type = NilClass error.

My test config is below. Having a hard time figuring out on how to use the split under filter section. Your help is much appreciated.

input {
stdin {
codec => json
}
}

filter {
split {
field => "[value]"
}
mutate {
add_field => {
"currentScore" => "%{[value][currentScore]}"
"maxScore" => "%{[value][maxScore]}"
"createdDateTime" => "%{[value][createdDateTime]}"
}
update => { "host" => "Microsoft Graph" }
remove_field => [ "@version","createdDateTime" ]
}
date {
match => [ "createdDateTime", "ISO8601" ]
target => "@timestamp"
}
}

output {
stdout {
codec => rubydebug
}
}

system · January 24, 2020, 8:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.