0

I have the following format of JSON data that I send to a logstash instance listening on a http endpoint

{
    client: "c",
    pageInfo: ["a","b","c"],
    restInfo: ["r","s","t"]
}

My goal is to send this input to an elasticsearch endpoint as two different types in the same index; for example

 PUT elasticsearchhost:port/myindex/pageInfo  
       { client: "c", pageInfo: ["a","b","c"] }

 PUT elasticsearchhost:port/myindex/restInfo  
       { client: "c", restInfo: ["r","s","t"] }

I have tried with some filters in logstash (split, mutate, grok) but I cannot understand how to perform this very specific split or if I have to modify my configuration also in the output section

Improve this question

1 Answer 1

Reset to default
1

You will need to use clone to clone the events and then modify the clones.

For example:

filter { 
  clone { clones => ["pageInfo", "restInfo" ]  }
  if [type]=="pageInfo" {
     mutate {
        remove_field => "restInfo"
     }
  }
  if [type] == "restInfo" {
     mutate {
        remove_field => "pageInfo"
     }
  }
}

And then on your elasticsearch output, be sure to include document_type => "%{type}"

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

thank you, it works! In this way it creates three entities related to the same event; is there a way to have just one clone and refer to the original message in the 'if' statement? what would the original type value be for the original message?
The type for the original event is whatever you set on input.
You can also do else if and then a final else {drop{}}

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.