Transforming data array to multiple event copies

clasyc · November 14, 2019, 3:59pm

Hello there, I'm new with all elasticsearch stack so it may sound easy and simple task, but I can't find information on how to achieve what I want.

I'm using SQS input to the Logstash and output to the elasticsearch.

So there is an example of what do I expect.

Input:

{
     "contacts": ["1", "2", "3", "4"],
     "property": "something",
     "data": "15489",
     "code": "871111"
}

Output (4 separate documents with all fields cloned expect "contacts" changes to -> "contact" per each value in array):

{
     "contact": "1",
     "property": "something",
     "data": "15489",
     "code": "871111"
}
{
     "contact": "2",
     "property": "something",
     "data": "15489",
     "code": "871111"
}
{
     "contact": "3",
     "property": "something",
     "data": "15489",
     "code": "871111"
}
{
     "contact": "4",
     "property": "something",
     "data": "15489",
     "code": "871111"
}

Any ideas? Thanks

Badger · November 14, 2019, 5:45pm

You can split an array into multiple events using a split filter.

clasyc · November 15, 2019, 7:53am

Thanks @Badger!

Yes it worked, should have researched better on this one.

There is a solution:

filter {
        split {
                field => "contacts"
                target => "contact"
                remove_field => ["contacts"]
        }
}

system · December 13, 2019, 7:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.