Check that a message is in JSON to avoid _jsonparsefailure

norandom · July 7, 2016, 3:08pm

Hi,

I have a logfile, which sadly is mixed. There are JSON lines, and there are free text lines. The good news is, that there is always a line break and JSON parsing works.

Currently I do:

   if "_jsonparsefailure" in [tags] {
                    drop { }
            }

I'd like to have an earlier check like

if ( [mesage] =~ ({.*}) ) {
   json {
                        source  => "message"
                }
}

Just using the curly braces to qualify for parsing

Otherwise I'd directly output it into Elasticsearch. Is there a simple way to do this, to save some performance and to avoid regular parser failures?

magnusbaeck · July 8, 2016, 5:44am

Sure, you can do that. The conditional in your example needs a few adjustments but the idea is right.

if [message] =~ /^{.*}$/ {