I am having a following set of information in my logs. It is in JSON format.
{
"someField":"someValue",
"columns":"[colName1, colName2, colName3, ... colNameN]",
"someField":"someValue"
}
I want this to be stored as an array in a same field columns.
The usecase I want to show up is how many users have used the particular column called colName1 and the count of it.
I am using ELK stak 5.x
if your source is directly json format
use the json plugin
filter {
json {
source => "message"
}
}
The array field will auto convert to array
https://www.elastic.co/guide/en/logstash/current/plugins-filters-json.html
String vales. so although my values looks in an array format, they are actually exported in string format in a log file. So will that affact in this case?
I got the solution by referring both the above answers. This is what I did.
To remove [ and ] from the string I used this:
mutate {
gsub => ["columns", "[\[\]]", ""]
}
and then to convert it into array:
mutate {
split => { "columns" => "," }
}
Mutate in output.conf might help you.
Follow this link - https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html#plugins-filters-mutate-replace
Although direct conversion from string to array is not supported. I faced same use case some time back, used merge functionality for that. I would suggest have some dummy field and merge with 'columns' field to create new array field. Hope this helps.
