Yet another logstash and json issue, unable to ingest a "basic" json

cibernicola · July 6, 2021, 7:36pm

I have a dir with tons of subdirs with a json file like this:

 
{
    "id": "2234",
    "name": "Text",
    "url": "https://url.com",
    "param": "string",
    "last": "2021-07-06 20:05:49.458724",
    "url2": "url.com"
}

I've tried all things I'm able to search, actually I'm with this L config:

# Input section
input {
  file {
    type => "json"
	codec => multiline { pattern => "^Spalanzani" what => "previous" negate => true auto_flush_interval => 1 }

    path => "path/**/*.json"
    start_position => "beginning"
	sincedb_path => "path.log"
  }
}

#filter section
filter {
		  json {
			source => "message"
		  }
		mutate { 
		 remove_field => ["host", "@version",  "type", "path", "tags", "@timestamp"]				
		}	
}

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "myIndex"
    user => "usr" 
    password => "mypwd"
  }
    stdout {codec => rubydebug}
}

Don't know te reason but I'm sure that some time ago I was able to ingest a json file much more complex simply setting up type and condec to "json".... With previous config I get a message field filled with all fields, without last }, Why?
Any idea suggestion? Thanks.

Badger · July 6, 2021, 8:28pm

Are you saying that with that example file you get

{    "id": "2234",    "name": "Text",    "url": "https://url.com",    "param": "string",    "last": "2021-07-06 20:05:49.458724",    "url2": "url.com"

in the message field?

cibernicola · July 6, 2021, 8:57pm

Exactly!
I can't get tje point
Why with this basic json E.L. can't ingest all data in each field inside the doc? What m I doing wrong?

Badger · July 6, 2021, 9:35pm

I do not see anything wrong with your configuration. You could try increasing auto_flush_interval to see if that makes any difference but I very much doubt that it will.

cibernicola · July 7, 2021, 10:09am

The "problem" is that it inserts all the fields from the json file into the "message" field instead of creating a separate field within the elasticsearch doc for each field in the json file.
I have tried much more complex files that, once ingested by logstash to elasticsearch have had different fields. I don't know what changes from one to the other :S

system · August 4, 2021, 10:10am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
JSON Parsing Error - Logstash Logstash	2	312	January 2, 2020
Logstash configuration for multiple json (nested) files in a directory Logstash ingest-pipeline	4	1698	April 13, 2021
Nested Json logs - how to filter correctly Logstash	12	4627	July 6, 2017
Ingesting JSON files, format problem? Logstash	13	4094	July 6, 2017
Parsing json file with logstash Logstash	12	6985	February 11, 2020

Yet another logstash and json issue, unable to ingest a "basic" json

Related topics