Base config
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
input { file { path => "/home/ols.log" start_position => "beginning" sincedb_path => "/dev/null" } } filter { json { source => "message" } date { match => [ "skapad", "ISO8601"] } } output { elasticsearch { hosts => ["http://es:9200"] index => "ols" } stdout { codec => rubydebug } } |
Remove nested field
the json looks something like this
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
{ "entitet": { "attribut": { "andrad": "2023-06-14T11:46:13.163Z", "mottagare": { "anvandare": null, "anvandarnamn": null, "region": "Väst", "roll": "CHEF", "roller": null, "org": null, "typ": "WQS", "Kod": null }, "skapad": "2023-06-14T11:46:13.163Z", "status": "SKICKAD", "tillhor": { "id": "YY_e79a0ce2_c8a1_4c11_8fa1_c963540bb962", "typ": "USER" }, "uppgift": { "beskrivning": "fixa lite ", "typ": "FRITEXT", } }, "id": "A_b3bc8420_40fa_443a_be61_ffa32668c439", "schemaVersion": 1, "typ": "UPPGIFT" }, "id": 8126, "skapad": "2023-06-14T11:46:13.358Z", "skapadAv": "Jörgen Larsson", "typ": "EventBusLogEntry" } |
with this config the field “entitet / attribut / mottagare” can be removed
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
filter { json { source => "message" } date { match => [ "skapad", "ISO8601"] } mutate { remove_field => ["[entitet][attribut][mottagare]"] } } |
Convert JSON field to string
If we would like to convert a field that is a json object into a string, we can use the ruby module to make it a string instead
|
1 2 3 4 5 6 7 8 9 10 11 |
filter { json { source => "message" } date { match => [ "skapad", "ISO8601"] } ruby { code => 'event.set("[entitet][attribut][mottagare]", event.get("[entitet][attribut][mottagare]").to_s)' } } |
The output now looks like this
|
1 |
"mottagare" => "{\"anvandare\"=>nil, \"region\"=>\"Väst\", \"anvandarnamn\"=>nil, \"roll\"=>\"CHEF\", \"roller\"=>nil, \"org\"=>nil, \"typ\"=>\"WCS\", \"Kod\"=>nil}", |