is it possible to split a nested json field value in json log into further sub fields in logstash filtering using mutate?

Question

. 。 Answers to this question are eligible for a +50 reputation bounty. Narendra522 wants to to this question: ：

I am looking for a way to split json field value into multiple fields.

I have a json log like this being streamed into ELK

{
  "event": "Events Report",
  "level": "info",
  "logger": "XXXXX",
  "method": "YYYYY",
  "report_duration": {
    "duration": "5 days, 12:43:16",
    "end": "2021-12-13 03:43:16",
    "start": "2021-12-07 15:00:00"
  },
  "request_type": "GET",
  "rid": "xyz-123-yzfs",
  "field_id": "arefer-e3-adfe93439",
  "timestamp": "12/13/2021 03:43:53 AM",
  "user": "8f444233ed4-91b8-4839-a57d-ande2534"
}

I would like to further split duration value ie "5 days, 12:43:16" as some thing like "days": "5"

I have tried using below logstash filter and still its not working

filter {
        if "report_duration" in [reports]{
           mutate {
            split => { "duration" => " " }
            add_field => { "days" => "%{[duration][0]}" }
            convert => {
             "days" => "integer"
            }
          }
       }
}

Answer 1

I think I have config that fits what you want:

    # Since I wasn't sure of what you wanted, I changed the conditional here to check if the duration nested field is present
    if [report_duration][duration]{
       mutate {
        # Since duration is nested under report_duration, it has to be accessed this way:
        split => { "[report_duration][duration]" => " " }
        # The split option replace the text field with an array, so it's still nested
        add_field => { "days" => "%{[report_duration][duration][0]}" }
      }
      # the convert option is executed before the split option, so it has to be moved in its own plugin call
      mutate {
        convert => {
         "days" => "integer"
        }
      }
   }

Some references: accessing nested fields , mutate filter process order