[syslog-ng] need help with parser to make flat nested json list of dictionaries

Александр Масленников alexander.a.maslennikov at gmail.com
Fri Jun 10 08:02:55 UTC 2022 

hi all
i have a json message that contains a nested json list of dicts

{"a":1,"b":[{"c":1},{"c":2},{"c":3}]}

i want to flat that message, so expected result looks like {
"a": 1,
"b_0_c": 1,
"b_1_c": 2,
"b_2_c": 3
}

My approach is a python implemented parser.
Is it possible to achieve the same result using the built-in syslog-ng
tools?
My solution below

@define kafka-implementation kafka-c

python {

import collections
import json

class FlattenedJson(object):

    def parse(self, log_message, flat_message=None):
        def flatten(d, parent_key='', sep='_'):
            items = []
            for k, v in d.items():
                new_key = parent_key + sep + k if parent_key else k
                if isinstance(v, collections.MutableMapping):
                    items.extend(flatten(v, new_key, sep=sep).items())
                elif isinstance(v, list):
                    for idx, value in enumerate(v):
                        items.extend(flatten(value, new_key + sep +
str(idx), sep).items())
                else:
                    items.append((new_key, v))
            return dict(items)
        try:
            decoded_msg = json.loads(log_message['MESSAGE'].decode('utf-8'))
            flat_message = flatten(decoded_msg)
            final_message =
str(json.dumps(flat_message)).encode(encoding='utf-8')
            log_message['MESSAGE'] = final_message
        except Exception as error:
            log_message['python_error'] = 'An exception occurred:
{}'.format(error)
        return True
};

destination d_kafka_dnstap {
  kafka(
    topic("mytopic")
    bootstrap-servers("localhost:9092")
    message("$(format-flat-json  --scope all-nv-pairs
application_name=myapp @timestamp=${ISODATE} )")
  );
};

source s_net_dnstap { network( transport(udp) port(514) flags(no-parse) ); };

parser p_dnstap { channel {
    parser { python(class("FlattenedJson")); };
    parser { json-parser(prefix("dnstap.")); };
  };
};

log { source(s_net_dnstap); parser(p_dnstap); destination(d_kafka_dnstap); };
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20220610/0fb59c2a/attachment.htm>

More information about the syslog-ng mailing list