Unable to parse JSON Array object in Logstash

Badger · June 13, 2017, 7:02pm

With that config, you are parsing each line of JSON separately, which does not work. You need a multiline code on the input. Something like

input{
        stdin{
                codec => multiline {
                        pattern => "^}"
                        negate => true
                        what => next
                        max_lines => 20000
                }
        }
}

Then to parse it the following appears to do what you want

filter{
        mutate { gsub => ["message", "\n", ""] }
        json{ source => "message" }
        split{ field => "Records" }
}

Lastly I would say that debugging this is much easier with a

output{
        stdout{ codec=>"rubydebug" }
}

Personally I would add a filter to delete the message field provided the json parse works (i.e. no parse failure tag)

    if "_jsonparsefailure" not in [tags] { mutate { remove_field => "message" }  }

Topic		Replies	Views
Json array parsing Logstash	1	390	July 6, 2017
Parsing nested arrays in json objects Logstash	1	357	December 13, 2018
Parse Json Logs using logstash Logstash	2	273	March 25, 2021
Pasring Json file Logstash	4	295	March 18, 2019
How to parse dynamic array json through logstash? Logstash	2	385	July 20, 2020

Unable to parse JSON Array object in Logstash

Related topics