Use multiline and grok for splitting complex json input

Elastic Stack Logstash
1

Hi,

Here is the structure of my json input:

{
"searchMeta": {
"interval": "S10",
"sourceIds": [
"test1"
],
"startTimestamp": 1505558633,
"endTimestamp": 1513334633,
"startIndex": 0,
"maxResult": 500,
"prevResults": "",
"nextResults": "https:XXX",
"filter": ""
},
"presence": [
{
"timestamp": 1512086420,
"sourceId": "test1",
"test": "UNKNOWN",
"deviceAddress": "AAAAAA"
},
{
"timestamp": 1512086421,
"sourceId": "test1",
"test": "UNKNOWN",
"deviceAddress": "BBBBB"
}
]
}

I just want to store the data in the presence field.
I found that I can use the filter split for handling the array. Yet, I don't manage to use the multiline with a json input for getting what I want. Any clue on how to deal with this kind of json format?

Here the output I would like to obtain in ES:
{
"@timestamp" => timestamp,
"@version" => "1",
"timestamp": 1512086421,
"sourceId": "test1",
"deviceAddress": "BBBBB"
}

2

Well, by using the split I obtain an output with this format:

{
"@version" => "1",
"host" => "Some_host",
"path" => "some_path",
"@timestamp" => timestamp,
"type" => "json",
"presence" => {
"timestamp": 1512086421,
"sourceId": "test1",
"test": "UNKNOWN",
"deviceAddress": "BBBBB"
}
}

How can I transform it to obtain something like:

{
"@version" => "1",
"host" => "Some_host",
"path" => "some_path",
"@timestamp" => timestamp,
"type" => "json",
"timestamp": 1512086421,
"sourceId": "test1",
"test": "UNKNOWN",
"deviceAddress": "BBBBB"
}

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.