Split type failure Logstash

Elastic Stack Logstash
1

Dear Team,

I have configured below logstash conf file . Trying to give stdin input and getting an error as split type failure. PFB details. We need to create two events based on metricValues.

Conf file

 input {
  stdin {
    codec => multiline {
       pattern => "^\s+"
       negate => false
       what => previous
       max_lines => 20000
    }
  }
}
filter {
json {
    source => "message"
    target => "message"
  }
split {
  field => "metricValues"
 }
}
output {  
  stdout {
  codec => rubydebug
 }
 file {
    path => ['D:\Test_bh.log']
    flush_interval => 0
  }
} 

Input which we give is as below
[{"metricId":2402666,
  "frequency":11,
 "metricValues":[
 { "startTimeInMillis":1690194000000,
  "occurrences":1,
  "current":0,
 "min":0,
 "max":0,
 "useRange":true,
  "count":0,
 "sum":0,
 "value":0,
 "standardDeviation":0
 },
 { "startTimeInMillis":1690194600000,
 "occurrences":1,
 "current":225,
  "min":225,
 "max":225,
 "useRange":true,
  "count":1,
 "sum":225,
 "value":225,
  "standardDeviation":0
 }]}]

Output

Output is as below
[2023-07-29T16:51:01,939][WARN ][logstash.filters.split   ][main][ca0090ef804b41fc1df4d0784f800741445dcd67fa8a0ea934a4f2750782052c] Only String and Array types are splittable. field:metricValues is of type = NilClass
{
          "tags" => [
        [0] "multiline",
        [1] "_split_type_failure"
    ],
       "message" => [
        [0] {
            "metricValues" => [
                [0] {
                          "occurrences" => 1,
                              "current" => 0,
                                "value" => 0,
                                "count" => 0,
                                  "min" => 0,
                    "startTimeInMillis" => 1690194000000,
                                  "max" => 0,
                             "useRange" => true,
                                  "sum" => 0,
                    "standardDeviation" => 0
                },
                [1] {
                          "occurrences" => 1,
                              "current" => 225,
                                "value" => 225,
                                "count" => 1,
                                  "min" => 225,
                    "startTimeInMillis" => 1690194600000,
                                  "max" => 225,
                             "useRange" => true,
                                  "sum" => 225,
                    "standardDeviation" => 0
                }
            ],
               "frequency" => 11,
                "metricId" => 2402666
        }
    ],
      "@version" => "1",
    "@timestamp" => 2023-07-29T11:21:01.529Z,
          "host" => "QKNBK2376"
}
[2023-07-29T16:51:02,352][INFO ][logstash.outputs.file    ][main][ebc807caeda4cc022d5b5b5164e0e1a57d52389da2b1cb505de9aa8cd988c7dd] Opening file {:path=>"D:/Test_bh.log"}
[2023-07-29T16:51:23,735][INFO ][logstash.outputs.file    ][main][ebc807caeda4cc022d5b5b5164e0e1a57d52389da2b1cb505de9aa8cd988c7dd] Closing file D:/Test_bh.log

Please suggest.

Regards,
Bharat
or paste code here
2

You are using a target in the json filter, so the content of your json will be under the message field, you will do not have a field named metricValues on the root of your document, you have a field named metricValues inside the json object messages.

In logstash the correct way to reference this field would be [messages][metricValues]

Also, if you look at your output your message is also an array, so you would need another split filter on this field.

Something like this:

split {
   field => "message"
}
split {
    field => "[message][metricValues]"
}
3

Hi Leandro,

Your solution worked. Thanks for your help.

Regards,

Bharat

98C3111F5EC34212A213AF17163FA3F8.png
98C3111F5EC34212A213AF17163FA3F8.png708×1 96 Bytes

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.