How to do multi with JSON parsing?

Follow
Avatar
Steve Jansen
Anyone have a good way to handle JSON messages that have one or more entries per batch? For example, my 3rd party post a JSON array with a single eventlike: [ { "event_id": "1", "actor": "alice", "message": "..." } ] Then 5 minutes later, post JSON like: [ { "event_id": "2", "actor": "bob", "message": "..." }, { "event_id": "3", "actor": "carol", "message": "..." } ] Sumo support has been helping me to hack through this. We can't use multiline regex boundaries, as it will create invalid json. We are now trying some `parse regex ... multi` queries. It mostly works but it's very fragile depending on what JSON is sent. The 3rd party is totally reasonable to upload proper, valid JSON as an array of 1 or more events. I was hoping I could do something to break apart the events: _source=mysource | json "[*]" multi This doesn't work. Any other clever ideas to parse this JSON source into distinct events/rows?
2

Comments

1 comment

Sort by Date Votes
  • Avatar
    Kevin Cox

    I would like to see this as well. There is support for the `multi` option for the regex operator but defining a regex to split a JSON array is impossible in the general case and often difficult in the simpler cases. It would be excellent to have `multi` for extracting JSON arrays as well. Or just a general operator that can split an array into multiple records.

    1
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post