My input looks like that:
10.108.2.44 "73.91.231.150, 10.10.10.165" - - [26/Jul/2017:00:00:00 -0500] "GET /wod/landing?c=e&macId=90%3Ac7%3Ad8%3Afa%3A78%3Ae9&location=WODTrial&apMacId=10%3A56%3A11%3A15%3Ad3%3A8d&a=as&bn=st22&wod=1&issuer=r&deviceModel=ZTE+Jasper+LTE HTTP/1.1" 303 -
In my grok I defined the part of:
macId=90%3Ac7%3Ad8%3Afa%3A78%3Ae9&location=WODTrial&apMacId=10%3A56%3A11%3A15%3Ad3%3A8d&a=as&bn=st22&wod=1&issuer=r&deviceModel=ZTE+Jasper+LTE
as a json, and named it : jsonstring.
My filter also contains:
if [jsonstring] =~ /.+/ {
split {
field => "jsonstring"
terminator => "&"
add_tag => ["splittedjson"]
}
json {
source => "jsonstring"
target => "parsedJson"
remove_field=>["jsonstring"]
add_field => [ "macid", "%{[parsedJson][macid]}" ]
add_field => [ "apmacid", "%{[parsedJson][apmacid]}" ]
add_field => [ "bn", "%{[parsedJson][bn]}" ]
add_field => [ "a", "%{[parsedJson][a]}" ]
add_field => [ "issuer", "%{[parsedJson][issuer]}" ]
add_field => [ "deviceModel", "%{[parsedJson][deviceModel]}" ]
}
urldecode {
field => "macid"
}
urldecode {
field => "apmacid"
}
}
The event is split !
The add_field isn't working and I am getting _jsonparsefailure all time.
Thanks
Sharon.