如何在logstash中使用嵌套Json字段作为ElasticSearch文档

wrrgggsh 于 2022-12-09 发布在 Logstash

关注(0)|答案(1)|浏览(234)

say the event is like this:

{
  "name": "xxx", 
  "data": {
    "a": xxx
  }
}

with logstash, how to just use inner data field as document source send to elasticsearch, like:

{
  "a": xxx
}

any response would be appreciated！
tried to use json filter

filter {
  json {
    source => "data"
  }
}

but seems like the event is already parsed as a json, the terminal just print this error message:

Error parsing json {:source=>"data", :raw=>{"a"=>xxx}, :exception=>java.lang.ClassCastException: org.jruby.RubyHash cannot be cast to org.jruby.RubyIO}

logstash

来源：https://stackoverflow.com/questions/71321566/how-to-use-nested-json-field-as-elasticsearch-doc-in-logstash

1条答案

按热度按时间

t30tvxxf1#

仅供参考，找到一个答案https://discuss.elastic.co/t/move-subarrays-to-document-root/143876
只需使用ruby代码将嵌套字段移动到文档根，并使用remove将所有其他字段移动到文档根

ruby {
    code => 'event.get("data").each { | k, v| event.set(k, v) }'
  }

  mutate {
    remove_field => [ "name", "data" ]
  }

赞(0）回复(0）举报 2022-12-09

我来回答

如何在logstash中使用嵌套Json字段作为ElasticSearch文档

1条答案

相关问题

热门标签

最新问答