Trying to convert JSON to new JSON outputs quoted JSON

Elastic Stack Logstash
1

On my macbook monterey 12.2.1, I get quoted JSON. I'm hoping for plain JSON.

logstash.yml is
node.name: tester

file.conf is

input {
    file {
    	 path => ["/Users/geena.rollins/ws/hello.json"]
	 start_position => "beginning"
	 sincedb_path => "/dev/null"
	 codec => "json"
	 type => "json"
    }
}
filter {
    mutate {
        add_field => { "z" => "Yes" }
    }
}
output {
  stdout { codec => rubydebug }
  file {
    	 path => "/Users/geena.rollins/ws/result-0.json"
	 codec => "json_lines"
  }
}

hello.json is:
{ "x": "Hello, world!!!", "y": 7 }

I'm hoping to get this output:
{ "x": "Hello, world!!!", "y": 7, "z": "Yes" }

But I get this:

{"z":"Yes","y":7,"log":{"file":{"path":"/Users/geena.rollins/ws/hello.json"}},"host":{"name":"basin"},"type":"json","@version":"1","event":{"original":"{ \"x\": \"Hello, world!!!\", \"y\": 7 }"},"@timestamp":"2022-03-29T04:26:50.051510Z","x":"Hello, world!!!"}

{
             "z" => "Yes",
             "y" => 7,
           "log" => {
        "file" => {
            "path" => "/Users/geena.rollins/ws/hello.json"
        }
    },
          "host" => {
        "name" => "basin"
    },
          "type" => "json",
      "@version" => "1",
         "event" => {
        "original" => "{ \"x\": \"Hello, world!!!\", \"y\": 7 }"
    },
    "@timestamp" => 2022-03-29T04:26:50.051510Z,
             "x" => "Hello, world!!!"
}

Thank you for your advice.

2

You are getting that! If you do not want all the other fields then use a prune filter with the whitelist_names option.

The quoted JSON in [event][original] is the new ECS way of preserving the original [message] field before it goes through any filters. If it is just that you do not want then

mutate { remove_field => [ "[event]" ] }
3

Thanks Mr. B!

input {
    file {
    	 path => ["/Users/geena.rollins/ws/hello.json"]
	 start_position => "beginning"
	 sincedb_path => "/dev/null"
	 codec => "json"
	 type => "json"
    }
}
filter {
    mutate {
        add_field => { "z" => "Yes" }
	remove_field => [ "[event]", "[log]" ]
    }
}
output {
  stdout { codec => rubydebug }
  file {
    	 path => "/Users/geena.rollins/ws/result-0.json"
	 codec => "json_lines"
  }
}

{"y":7,"type":"json","@version":"1","x":"Hello, world!!!","host":{"name":"basin"},"z":"Yes","@timestamp":"2022-03-29T18:09:15.098892Z"}
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.