0

I have this JSON

{
"users":"[{"id":1,"name":"bob"},{"id":2,"name":"alice"},{"id":3,"name":"david"}]",
"date":"23/01/2017"
}

even if I'm using the logstash filter:

filter {
    split {
        field => "users"
    }
}

the message is stored in elastic as single event

users => [{"id":1,"name":"bob"},{"id":2,"name":"alice"},{"id":3,"name":"david"}] date=> 23/01/2017

question1: how I can convert the user field from string to a json array to have this

"users":[{"id":1,"name":"bob"},{"id":2,"name":"alice"},{"id":1,"name":"david"}],
"date":"23/01/2017"

question 2: how I can store this nested json as a multiple json events in elastic

Expected output:

{
"id":1,
"name":"bob",
"date":"23/01/2017"
}

{
"id":2,
"name":"alice",
"date":"23/01/2017"
}

{
"id":3,
"name":"david",
"date":"23/01/2017"
}

Thanks in advance for your answer

Improve this question

1 Answer 1

Reset to default
1

For Question 1 you can use Logstash JSON filter plugin for converting JSON format.

https://www.elastic.co/guide/en/logstash/current/plugins-filters-json.html

For Question 2, I think from one line you can not make multiple documents, you need to put logs new line for a new document.

Logstath can parse one log line or multiple loglines to prepare one elasticsearch document. But from one line it can't create multiple documents.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.