Using filters on nested fields

shambar · February 1, 2017, 5:56pm

I am having an issue trying to get logstash to see the items in the array beyond the first item.

the data will come in like.

{"id": "430229930",
"item_tbl" :[{"itemid": 1,"itemname":"eggs","quantity": 10},{"itemid": 2,"itemname":"milk","quantity": 10}]}

I can access the first item in the array by referencing [item_tbl][0][itemname]

I know the second item is [1] but how do I get logstash to mutate or manipulate all the items in the array?

the documents will vary on the number of items in the array.

I would like to use just basic filters like mutate on the fields.

magnusbaeck · February 2, 2017, 6:51am

I know the second item is [1] but how do I get logstash to mutate or manipulate all the items in the array?

That depends on the filter being used. Some support arrays and some don't. You may have to use a ruby filter to work around such limitations.

shambar · February 2, 2017, 8:42pm

I would like to use the mutate filter and rename itemname to item_name. I have not used ruby yet so there may be a bit of a learning curve for me to go that route.

magnusbaeck · February 3, 2017, 6:32am

What you want to do will require use of the ruby filter.

system · March 3, 2017, 6:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.