Parsing a nested JSON string in Logstash

Question

Parsing a nested JSON string in Logstash

I write logstash in json format, my logs have the following fields, each field is a string, and the atts field is a json string (note: atts subfields are different every time)

here is an example:

{"name":"bob","last":"builder", "atts":"{\"a\":111, \"b\":222}"}

I would like to parse it like this:

  { "name" => "bob", "last" => "builder" "atss" => { "a" => 111, "b" => 222} }

here is my configuration:

 input { stdin { } } filter { json { source => "message" target => "parsed" } } output { stdout { codec => rubydebug }}

ok, so now I get the following:

 { "@timestamp" => 2017-04-05T12:19:04.090Z, "parsed" => { "atss" => "{\"a\":111, \"b\":222}", "name" => "bob", "last" => "the builder" }, "@version" => "1", "host" => "0.0.0.0" }

how can I parse the atts field in json to get:

 { "@timestamp" => 2017-04-05T12:19:04.090Z, "parsed" => { "atss" => {"a" => 111, "b" => 222}, "name" => "bob", "last" => "the builder" }, "@version" => "1", "host" => "0.0.0.0" }

+5

logstash

dina Apr 05 '17 at 13:29

source share

2 answers

There is a json filter. Just give him the field that you want to analyze and the purpose in which you want.

Sort of:

 json { source => "[parsed][atss]" target => "[parsed][newfield]" }

I'm not sure if you can use atss as a new field. It may or may not work. If this is not the case, use the mutate filter for remove_field and rename_field .

+3

Alcanzar Apr 05 '17 at 14:25

source share

dina · Accepted Answer · 2017-04-05T14:41:12+0000

thanks @Alcanzar that's what i did

 input { stdin { } } filter { json { source => "message" target => "message" } json { source => "[message][atts]" target => "[message][atts]" } } output { stdout { codec => rubydebug }}

Parsing a nested JSON string in Logstash

More articles: