I have some simple code:
{ "bustime-response": { "vehicle": [ {"vid": "foo"}] }}
And when i attempt to run the conf file i set up, it will crash. I think it has to do with the split field requirements but im not sure what is going on.
split {
field => "[bustime-response][vehicle]"
}
When removing the split, the system will log the full json object, but im trying to create seperate events for each "vehicle" whereas each 'vehicle' has a 'vid' as the primary key as there could be multiple vehicles on a route.
Am i missing something here when dealaing with JSON? I was looking at the docs for split and the info for field is:
The field which value is split by the terminator. Can be a multiline message or the ID of an array. Nested arrays are referenced like: "[object_id][array_id]"
The Logs from within my docker container is:
[ERROR] 2020-10-12 19:14:14.450 [Converge PipelineAction::Create<main>] agent - Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"input\", \"filter\", \"output\" at line 12, column 1 (byte 270) after ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:183:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:69:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:44:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:357:in `block in converge_state'"]}
[INFO ] 2020-10-12 19:14:14.554 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2020-10-12 19:14:19.590 [LogStash::Runner] runner - Logstash shut down.
split, like mutate need to exist inside of the "filter" block. They are not standalone options.