Badger
2020-11-28 22:35:07
You cannot use that field reference in the target option of the json filter. In any version of logstash from the last couple of years I would expect that to result in a _jsonparsefailure tag and the error
Exception caught in json filter {:exception=>"Invalid FieldReference: `addresses[0].street`"
If you change the reference to be [addresses][0] then it will run without error, but the reference will be interpreted as the "0" entry in the "addresses" hash, not the first entry in the addresses array.
Your incoming JSON has the wrong field names, so you will have to rename the fields. I think it is easiest to do it in a ruby filter
json { source => "message" target => "[@metadata][json]" }
ruby {
code => '
json = event.get("[@metadata][json]")
event.set("addresses", [ { "street" => json["s"], "city" => json["c"] } ] )
'
}
which produces
"addresses" => [
[0] {
"city" => "some city",
"street" => "some address"
}
],
The original JSON is placed inside the [@metadata] field so that is available but not indexed by the output.
Thanks. can you try and put it togehter with my original script. I can't make it work. thanks
The json and ruby filter I provided should just replace the json filter you have. A file input will put the text of the line of the file in the field [message], not [a]. If you had previously run logstash it will have recorded how much of the input file it read in the sincedb, so you will need to append new lines to the file to get logstash to read them.