Expanding a log Message to 2 #10286

tastyfrankfurt · 2021-12-06T09:36:37Z

tastyfrankfurt
Dec 6, 2021

Hey Team,

We have a use case currently in logstash that we wish vector to solve, currently we have OpenSearch sending alerts. When opensearch sends an alert it send 1 alert with all the instances where the alert occured in 1 message. We would like vector to solve this by being able to split this one alert into multiple alerts. The below is a source log example going to a target log example.
SOURCE LOG
{
"timestamp: "yyyymmdd hh:mm:ss",
"field1": "blah",
"field2": "blad",
"alerts": {
"alert1": "some strange string",
"alert2": "some other strange string"
}
}
TARGET LOGS
{
"timestamp: "yyyymmdd hh:mm:ss",
"field1": "blah",
"field2": "blad",
"alert": "some strange string"
}

{
"timestamp: "yyyymmdd hh:mm:ss",
"field1": "blah",
"field2": "blad",
"alert": "some other strange string"
}

Answered by spencergilbert

Dec 6, 2021

This example should help, and there is also an unnest function to help here as well.

It looks like your example log is more or less the same pattern as the example and something like . = parse_json!(.alerts) would work (with some additional work if you wanted to retain original fields).

View full answer

spencergilbert · 2021-12-06T14:38:05Z

spencergilbert
Dec 6, 2021
Maintainer

This example should help, and there is also an unnest function to help here as well.

It looks like your example log is more or less the same pattern as the example and something like . = parse_json!(.alerts) would work (with some additional work if you wanted to retain original fields).

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Expanding a log Message to 2 #10286

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Expanding a log Message to 2 #10286

tastyfrankfurt Dec 6, 2021

Replies: 1 comment

spencergilbert Dec 6, 2021 Maintainer

tastyfrankfurt
Dec 6, 2021

spencergilbert
Dec 6, 2021
Maintainer