Good Day,
I am trying to unnest a JSON log and I can't seem to get it to work. When I try to unnest I get the already unnested JSON showing up 3 times and I while I am able to unnest the JSON I can't write the actual field value to the newly unnested JSON.
So if I unnest and try to write the existing value of the SpanId field it just displays the actual logstash code
Log
{
"lvl": "info",
"eid": 1,
"en": "RequestStarting",
"tim": "2023-10-05T10:07:19.157174Z",
"msg": "Request starting HTTP/2 GET https://FQDN/space/lodwe/independentFile/1lki000000000000k7002c000000 - -",
"cat": "Microsoft.AspNetCore.Hosting.Diagnostics",
"scp": [
{
"SpanId": "569b3b4281694978",
"TraceId": "984d20903a7ad189ab4e7d25e9e60a9b",
"ParentId": "b7pa9b27b48e0726"
},
{
"ConnectionId": "0HMKB5NAOAQU1"
},
{
"RequestId": "0HMKP9NAOAQU7:000008OU",
"RequestPath": "/space/ lodwe /independentFile/1bca000000000000c7002c000000"
}
],
"ste": [
{
"Protocol": "HTTP/2",
"Method": "GET",
"ContentType": null,
"ContentLength": null,
"Scheme": "https",
"Host": "FQDN",
"PathBase": "",
"Path": "/space/lodwe/independentFile/1lki000000000000k506001d000000",
"QueryString": ""
}
]
}
and I use the following
input {
tcp {
port => 8090
tags => ["test"]
codec => json { }
}
}
filter
{
split { field => "[scp]" }
mutate {
add_field => {
"SpanId" => "%{[scp][SpanId]"
}
remove_field => [ "[scp]" ]
}
split { field => "[ste]" }
mutate {
remove_field => [ "[ste]" ]
}
date {
locale => "$LANG"
match => [ "tim", "yyyy-MM-dd'T'HH:mm:ss.SSSSSSZ" ]
target => "@timestamp"
remove_field => ["msg","tim","bep","@version","RequestPath","tags"]
}
}
output {
# elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}
I get the following output
{
"port" => 50574,
"en" => "RequestStarting",
"host" => "localhost",
"@timestamp" => 2023-10-05T10:07:19.157Z,
"cat" => "Microsoft.AspNetCore.Hosting.Diagnostics",
"SpanId" => "%[scp][SpanId]",
"eid" => 1,
"lvl" => "info"
}
{
"port" => 50574,
"en" => "RequestStarting",
"host" => "localhost",
"@timestamp" => 2023-10-05T10:07:19.157Z,
"cat" => "Microsoft.AspNetCore.Hosting.Diagnostics",
"SpanId" => "%[scp][SpanId]",
"eid" => 1,
"lvl" => "info"
}
{
"port" => 50574,
"en" => "RequestStarting",
"host" => "localhost",
"@timestamp" => 2023-10-05T10:07:19.157Z,
"cat" => "Microsoft.AspNetCore.Hosting.Diagnostics",
"SpanId" => "%[scp][SpanId]",
"eid" => 1,
"lvl" => "info"
}