Unbale to add filed in logstash for json source

Elastic Stack Logstash
1

Hi,

I am trying to add new filed based on the filed exists in the event, but I'm unable add can you please help on that.

Event:

{
"@version": "1",
"@timestamp": "2019-04-23T18:04:19.680Z",
"headers": {
"http_version": "HTTP/1.1",
"http_accept": "/",
"http_user_agent": "python-requests/2.15.1",
"accept_encoding": "gzip, deflate",
"request_path": "/",
"connection": "keep-alive",
"request_method": "POST",
"content_length": "1430",
"http_host": "10.75.30.138:9600"
},
"message": "{"cluster_host_id": "localhost", "counter": 13, "stdout": "\r\nTASK [fetch galaxy roles from requirements.yml (forced update)] ****************", "tower_uuid": "", "@timestamp": "2019-04-23T18:05:46.013Z", "playbook": "project_update.yml", "event_display": "Task Started (fetch galaxy roles from requirements.yml (forced update))", "start_line": 17, "id": 157421, "uuid": "fa163e19-4617-5547-021b-000000000021", "event": "playbook_on_task_start", "failed": false, "role": "", "type": "logstash", "event_data": {"play_pattern": "all", "play": "all", "task": "fetch galaxy roles from requirements.yml (forced update)", "task_args": "", "name": "fetch galaxy roles from requirements.yml (forced update)", "pid": 3, "play_uuid": "fa163e19-4617-5547-021b-00000000001d", "is_conditional": false, "task_uuid": "fa163e19-4617-5547-021b-000000000021", "playbook_uuid": "b4277288-81ad-443d-8839-abdf51d4f2f2", "playbook": "project_update.yml", "task_action": "command", "task_path": "/var/lib/awx/venv/awx/lib/python2.7/site-packages/awx/playbooks/project_update.yml:150"}, "play": "all", "host": "a.ashs2.f.net.com", "project_update": 10261, "logger_name": "analytics.job_events", "message": "Event data saved.", "task": "fetch galaxy roles from requirements.yml (forced update)", "level": "INFO", "verbosity": 0, "changed": false, "modified": "2019-04-23T18:05:45.000Z", "end_line": 19, "created": "2019-04-23T18:05:45.000Z"}",
"host": "10.75.34.196"
}

In the above event highlighted one filed, based on that I need to add new filed, I written config like this :slight_smile:

input {
file {
path => "input.json"
start_position => "beginning"
codec => "json"
}
}
filter {
json {
source => "message"
}
if [message][failed] == 'false' {
mutate {
add_field => {
"job_status" => "success"
}
}
}
if [message][failed] == 'true' {
mutate {
add_field => {
"job_status" => "failed"
}
}
}
}
output {
file{
path => "output.json"
codec => json_lines
}
}

but I'm unable to add the field can you please help me.

2

if either json codec or the json filter is able to parse the message (and you should only need one of those, not both) then I would expect the failed field to be at the top level. Additionally, its a boolean, so a string comparison with "false" is not what you want. Your test should be

if ![failed] {
3

Hi Badger,
Thanks for your help, It's solved

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.