Unable to parse JSON Array object in Logstash

Badger · June 13, 2017, 7:02pm

With that config, you are parsing each line of JSON separately, which does not work. You need a multiline code on the input. Something like

input{
        stdin{
                codec => multiline {
                        pattern => "^}"
                        negate => true
                        what => next
                        max_lines => 20000
                }
        }
}

Then to parse it the following appears to do what you want

filter{
        mutate { gsub => ["message", "\n", ""] }
        json{ source => "message" }
        split{ field => "Records" }
}

Lastly I would say that debugging this is much easier with a

output{
        stdout{ codec=>"rubydebug" }
}

Personally I would add a filter to delete the message field provided the json parse works (i.e. no parse failure tag)

    if "_jsonparsefailure" not in [tags] { mutate { remove_field => "message" }  }

Topic		Replies	Views
Parsing nested arrays in json objects Logstash	1	357	December 13, 2018
Parsing array of json objects with logstash and injesting to elastic Logstash	9	11263	November 12, 2019
How can I parse nested JSON strings to JSON objects? Logstash	7	1453	November 28, 2021
Logstash nested array JSON parsing Logstash	15	12062	October 20, 2017
Parse the json [{},{},{}][{},{},{}] with logstash Logstash	1	250	December 15, 2020

Unable to parse JSON Array object in Logstash

Related Topics