Cannot access nested JSON object through filters

Description

There seems to be no way for me to access a dynamic field through the %{field} notation when I have an object in my logs.

For example, if my log had a format similar to this:

Every time I try and access anything inside the events object all that I get returned is something similar to this:

the line in my config:

and the result:

I've tried several different approaches, and nothing seems to work. However, if I remove the object, it works fine.

Is my syntax wrong, or this unsupported?

Activity

Show:
Philippe Weber
April 17, 2014, 7:00 AM

"events" is an array containing one object, you would need to access it like

I was introduced in https://github.com/elasticsearch/logstash/pull/1216
so this is NOT availalbe in 1.4.0 but will be only in 1.4.1 (or dev build)

Can your "events" array contains several object, than what would you expect ?

Luke Rossy
April 17, 2014, 7:22 AM
Edited

I've tried that. Using this line in my config...

add_field => ["newfield", "%{[events][0][field1]}"]

here is the output:

{
"message" => "{\"schema\":\"v1\",\"events\":[{\"field1\":\"foo\",\"field2\":\"bar\",\"field3\":{\"field4\":\"foobar\"}}]}",
"@version" => "1",
"@timestamp" => "2014-04-17T07:20:49.522Z",
"host" => "0:0:0:0:0:0:0:1%0",
"schema" => "v1",
"events" => [
[0] {
"field1" => "foo",
"field2" => "bar",
"field3" => {
"field4" => "foobar"
}
}
],
"tags" => [
[0] "_jsonparsefailure"
]
}

Trouble parsing json {:source=>"message", :raw=>"{\"schema\":\"v1\",\"events\":[{\"field1\":\"foo\",\"field2\":\"bar\",\"field3\":{\"field4\":\"foobar\"}}]}", :exception=>#<TypeError: can't convert String into Integer>, :level=>:warn, :file=>"logstash/filters/json.rb", :line=>"95"}

Philippe Weber
April 17, 2014, 8:14 AM

Which version did you test it for. As told, this is not in the current release, but for the *NEXT release*

Result is:

Luke Rossy
April 17, 2014, 10:26 AM

Oh sorry thanks for clearing that up, I was on 1.4

Jason Kendall
April 17, 2014, 1:30 PM

Closing resolved in 1.4.1. If still an issue after next release, please open a new report.

Assignee

Logstash Developers

Reporter

Luke Rossy

Fix versions

Configure