My original data.
{
message: {
data: "["1,2","3,4","5,6"]"
}
}
Now I want to convert value of data field to an array. So it should become:
{
message: {
data: ["1,2", "3,4", "5,6"]
}
}
By using
mutate {
gsub => ["data", "[\[\]]", ""]
}
I got rid of square brackets.
After this, I tried splitting based on commas. But that won't work. Since my data has commas as well.
I tried writing a dissect block but that is not useful.
So how should I go ahead with this?
Have you tried the json filter? If the data field always contains valid json data, you use the json filter like this:
json {
source => "data"
target => "data"
}
Using target => "data" will overwrite the data field.