CODEWITHSUNDEEP
logstash
EviSvil
EviSvil

Reputation: 636

LogStash - Parse http filter result

As always, official doc lacks of examples.

I have a filter that calls an API and has to adds fields parsing the API result:

http {
            url => "rest/api/subnet/check_subnet_from_ip/"
            query =>  { "ip" => "%{[source][ip]}" }
            verb => GET
      }

API response is something like this:

{ "name": "SUBNET1", "cidr": "192.168.0.0/24" }

I need to add new fields with these results. I need to consider an empty result {}

I cant find any example about parsing the results.

Thanks.

Upvotes: 3

Views: 3067

Answers (1)

leandrojmp
leandrojmp

Reputation: 7463

Your response is a json document, you need to use the json filter to parse it, look at the documentation of the json filter for all the options available.

But basically you will need something like this:

http {
    url => "rest/api/subnet/check_subnet_from_ip/"
    query =>  { "ip" => "%{[source][ip]}" }
    verb => GET
    target_body => api_response
}
json {
    source => "api_response"
}

To add new fields you need to use the mutate filter, look at the documentation of the mutate filter for all options available.

To add a new field you need something like this:

mutate {
    add_field => { "newFieldName" => "newFieldValue" }
}

Or to add a new field with the value from an existing field:

mutate {
    add_field => { "newFieldName" => "%{existingField}" }
}

Considering an answer in the format:

{ "name": "SUBNET1", "cidr": "192.168.0.0/24" }

And the fact that you need to check for empty responses, you will also need to add conditionals, so your pipeline should be something like this example:

http {
    url => "rest/api/subnet/check_subnet_from_ip/"
    query =>  { "ip" => "%{[source][ip]}" }
    verb => GET
    target_body => api_response
}
json {
    source => "api_response"
}

if [api_response][name]
{
    mutate 
    {
        add_field => { "[source][subnet][name]" => "%{[api_response][name]}" }
    }
}

if [api_response][cidr]
{
    mutate 
    {
        add_field => { "[source][subnet][cidr]" => "%{[api_response][cidr]}" }
    }
}

This will check if the fields name and cidr exists, and if it exists it will add new fields.

You can also rename the fields if you want, just use this mutate configuration instead.

mutate {
    rename => { "name" => "subnet_name" }
}

Upvotes: 5

Related Questions