Reputation: 1
Logstash: How to extract an object without knowing keyname
The input JSON I am expecting contains a fields that contains some objects. The key of the object is expected to be random so I cannot specify that in the logstash yml file.
Sample JSON:
{
"RootKey": {
"FieldName": {
"SubField": "SubFieldValue"
}
}
}
The "FieldName" itself could be any random string in the input, so the same JSON might look like this in a diferent event -
{
"RootKey": {
"SomeDifferentFieldName": {
"SubField": "SubFieldValue"
}
}
}
Weirdly enough, the "SubField" key name is going to be static.
I thought I could do something like this -
mutate { add_field => { fieldValue=> "[RootKey][0][SubField]" } }
But that seems to work fine for arrays and not an object. Any other representations run into error - eg.
mutate { add_field => { fieldValue => "[RootKey][][SubField]" } }
mutate { add_field => { fieldValue=> "[RootKey]{0}[SubField]" } }
mutate { add_field => { fieldValue=> "[RootKey]{}[SubField]" } }
Upvotes: 0
Views: 142
Answers (1)
Reputation: 4072
You would need to use a ruby filter. Try
ruby {
code => '
root = event.get("RootKey")
if root
root.each { |x|
event.set("fieldValue", x["SubField"])
}
end
'
}
Upvotes: 1
Related Questions
- flatten json with logstash ruby
- Extract JSON from a log Logstash
- Convert array of hash by logstash to simple hash
- Extracting nested object with Logstash and Ruby
- Parsing JSON objects with arbitrary keys in Logstash
- How not to parse some fields by logstash?
- Get only nested JSON in Logstash
- Loop through nested json in logstash with ruby
- How do I parse a json-formatted log message in Logstash to get a certain key/value pair?
- Accessing nested JSON Value with variable key name in Logstash