fluency03 · December 12, 2016 10:39
diff --git a/parse-array.conf b/parse-array.conf
 input {
  beats {
    port => "5044"
  }
 }
 filter {
  json {
    source => "message"
  }
  ruby {
    init => "
      require 'json'
      def parse_array obj, top, event
        if obj.is_a? Array
          obj.each_with_index {|oo, ii|
            parse_json_array(oo, ii, top, event)
          }
        end
      end

      def parse_json_array obj, i, top, event
        obj = JSON.parse(obj) unless obj.is_a? Hash
        top_ = top
        if obj.is_a? Hash
          k = obj['name']
          v = obj['value']
          p = [top_, k].join('.')
          event.set(p, v)
        else
          event.set(top_, obj)
        end
      end
    "
    code => "
      parse_array(event.get('sttx')['headers'], 'sttx.headers', event)
      parse_array(event.get('sttx')['cookie'], 'sttx.cookie', event)
      parse_array(event.get('sttx')['setcookie'], 'sttx.setcookie', event)
    "
  }
  date {
    match => ["[sttx][tsmillis]", "UNIX_MS"]
  }
  mutate {
    remove_field => [ "@version", "host", "input_type", "[beat]", "tages", "type", "offset"]
  }
  geoip {
    source => "[sttx][ip]"
  }
 }
 output {
  elasticsearch {
    hosts => [ "localhost:9200" ]
    # Default value is "index"
    # action => "index"
    # codec => json {
    #   charset => "UTF-8"
    # }
    # Default value is 500
    flush_size => 500
    # Default value is 1 (seconds)
    idle_flush_time => 1
    index => "sttx-%{+YYYY.MM.dd}"
    document_type => "sttx"
    # sniffing => true
    manage_template => false
    template => "/home/fluency03/ELKTryout/template-sttx.json"
    template_name => "sttx"
    template_overwrite => true
  }
 }
	input {
	beats {
	port => "5044"
	}
	}
	filter {
	json {
	source => "message"
	}
	ruby {
	init => "
	require 'json'
	def parse_array obj, top, event
	if obj.is_a? Array
	obj.each_with_index {\|oo, ii\|
	parse_json_array(oo, ii, top, event)
	}
	end
	end

	def parse_json_array obj, i, top, event
	obj = JSON.parse(obj) unless obj.is_a? Hash
	top_ = top
	if obj.is_a? Hash
	k = obj['name']
	v = obj['value']
	p = [top_, k].join('.')
	event.set(p, v)
	else
	event.set(top_, obj)
	end
	end
	"
	code => "
	parse_array(event.get('sttx')['headers'], 'sttx.headers', event)
	parse_array(event.get('sttx')['cookie'], 'sttx.cookie', event)
	parse_array(event.get('sttx')['setcookie'], 'sttx.setcookie', event)
	"
	}
	date {
	match => ["[sttx][tsmillis]", "UNIX_MS"]
	}
	mutate {
	remove_field => [ "@version", "host", "input_type", "[beat]", "tages", "type", "offset"]
	}
	geoip {
	source => "[sttx][ip]"
	}
	}
	output {
	elasticsearch {
	hosts => [ "localhost:9200" ]
	# Default value is "index"
	# action => "index"
	# codec => json {
	# charset => "UTF-8"
	# }
	# Default value is 500
	flush_size => 500
	# Default value is 1 (seconds)
	idle_flush_time => 1
	index => "sttx-%{+YYYY.MM.dd}"
	document_type => "sttx"
	# sniffing => true
	manage_template => false
	template => "/home/fluency03/ELKTryout/template-sttx.json"
	template_name => "sttx"
	template_overwrite => true
	}
	}
No results found