Hi All,
We are currently using the filter below in Logstash to process logs.
Filter -
filter {
# Parse the JSON string from the message field into "parsed_msg"
json {
source => "message"
target => "parsed_msg"
skip_on_invalid_json => true
}
# Process the payload: flatten if it's a hash, or store as a field if it's a string
if [parsed_msg][payload] {
ruby {
code => '
payload = event.get("parsed_msg")["payload"];
if payload.is_a?(Hash)
payload.each { |k, v|
event.set("fr." + k, v)
}
else
event.set("fr.payload", payload)
end
'
}
}
# Extract parsed_msg.source to a top-level field "result_source"
if [parsed_msg][source] {
mutate {
add_field => { "result_source" => "%{[parsed_msg][source]}" }
}
}
# Extract parsed_msg.timestamp to a top-level field "result_timestamp"
if [parsed_msg][timestamp] {
mutate {
add_field => { "result_timestamp" => "%{[parsed_msg][timestamp]}" }
}
}
# Overwrite @timestamp with result_timestamp
date {
match => ["result_timestamp", "ISO8601"]
target => "@timestamp"
}
# Generate a unique fingerprint based on the log type
if [result_source] == "idm-core" {
fingerprint {
source => ["[parsed_msg][payload]", "result_source", "result_timestamp"]
target => "[@metadata][fingerprint]"
method => "SHA256"
concatenate_sources => true
}
} else {
fingerprint {
source => ["fr._id", "fr.timestamp","result_source", "fr.message", "fr.transactionId", "fr.eventName", "result_timestamp","fr.after._id","fr.before._id"]
target => "[@metadata][fingerprint]"
method => "SHA256"
concatenate_sources => true
}
}
# Prune the event to keep only desired fields
prune {
whitelist_names => ["^fr.*$", "^@timestamp$", "^@metadata$", "^result_source$", "^result_timestamp$", "^tags$", "^fingerprint$","^fields.*$"]
}
# Remove the temporary parsed_msg field
mutate {
remove_field => ["parsed_msg"]
}
}
We have two similar log formats, yet only one is being filtered correctly while the other is not. Could anyone advise on potential reasons for this discrepancy and suggest a resolution?
Log 1 - getting filtered -
{"@timestamp":"2025-02-18T15:51:49.117Z","@metadata":{"beat":"filebeat","type":"_doc","version":"8.15.2","input_id":"generic-httpjson-staging-idm","stream_id":"httpjson-httpjson.staging_idm","raw_index":"logs-httpjson.generic-default"},"event":{"created":"2025-02-18T15:51:49.117Z","dataset":"httpjson.generic"},"tags":["staging_idm"],"input":{"type":"httpjson"},"agent":{"id":"52887bbd-0645-4c47-8e63-4095f2705fa8","ephemeral_id":"8e494863-e58f-4844-972a-3ff1c69bbedb","name":"d1entsttlsr007.europe.aa.local","type":"filebeat","version":"8.15.2"},"ecs":{"version":"8.0.0"},"message":"{\"payload\":{\"_id\":\"185292be-0ecc-4301-88fd-98eac8de94f3-3812871\",\"after\":{\"_id\":\"4b809f69-a399-4a1a-9043-7bedd53de067\",\"_rev\":\"418f3aa6-1048-4a80-9484-2df27fcc36bf-858630\",\"createDate\":\"2025-02-04T14:18:44.354934954Z\",\"lastChanged\":{\"date\":\"2025-02-18T15:50:58.282619577Z\"},\"loginCount\":0},\"before\":{\"_id\":\"4b809f69-a399-4a1a-9043-7bedd53de067\",\"_rev\":\"418f3aa6-1048-4a80-9484-2df27fcc36bf-852420\",\"createDate\":\"2025-02-04T14:18:44.354934954Z\",\"lastChanged\":{\"date\":\"2025-02-18T13:06:37.789551815Z\"},\"loginCount\":0},\"changedFields\":[],\"eventName\":\"activity\",\"level\":\"INFO\",\"message\":\"\",\"objectId\":\"managed/alpha_usermeta/4b809f69-a399-4a1a-9043-7bedd53de067\",\"operation\":\"PATCH\",\"passwordChanged\":false,\"revision\":\"418f3aa6-1048-4a80-9484-2df27fcc36bf-858630\",\"runAs\":\"idm-provisioning\",\"source\":\"audit\",\"status\":\"SUCCESS\",\"timestamp\":\"2025-02-18T15:50:58.293Z\",\"topic\":\"activity\",\"transactionId\":\"e6b42174-165f-43db-b464-135e0f369f6f/0/5\",\"userId\":\"idm-provisioning\"},\"source\":\"idm-activity\",\"timestamp\":\"2025-02-18T15:50:58.294116388Z\",\"type\":\"application/json\"}","fields":{"environment":"staging"},"data_stream":{"dataset":"httpjson.generic","namespace":"default","type":"logs"},"elastic_agent":{"snapshot":false,"version":"8.15.2","id":"52887bbd-0645-4c47-8e63-4095f2705fa8"},"host":{"name":"d1entsttlsr007.europe.aa.local","hostname":"d1entsttlsr007.europe.aa.local","architecture":"x86_64","os":{"platform":"rhel","version":"7.7 (Maipo)","family":"redhat","name":"Red Hat Enterprise Linux Server","kernel":"3.10.0-1160.118.1.el7.x86_64","codename":"Maipo","type":"linux"},"id":"69f417b1a15a420eb9acfd36802ff697","containerized":false,"ip":["10.178.2.12","fe80::477:70ff:fefe:3fdb"],"mac":["06-77-70-FE-3F-DB"]},"cloud":{"service":{"name":"Nova"},"provider":"openstack","availability_zone":"eu-west-1a","instance":{"name":"ip-10-178-2-12.europe.aa.local","id":"i-0528118076d76fe10"},"machine":{"type":"c5.2xlarge"}}
Log 2 not getting filtered -
{"@timestamp":"2025-02-18T15:51:49.117Z","@metadata":{"beat":"filebeat","type":"_doc","version":"8.15.2","raw_index":"logs-httpjson.generic-default","input_id":"generic-httpjson-staging-idm","stream_id":"httpjson-httpjson.staging_idm"},"cloud":{"machine":{"type":"c5.2xlarge"},"service":{"name":"Nova"},"provider":"openstack","availability_zone":"eu-west-1a","instance":{"id":"i-0528118076d76fe10","name":"ip-10-178-2-12.europe.aa.local"}},"tags":["staging_idm"],"input":{"type":"httpjson"},"fields":{"environment":"staging"},"agent":{"id":"52887bbd-0645-4c47-8e63-4095f2705fa8","version":"8.15.2","ephemeral_id":"8e494863-e58f-4844-972a-3ff1c69bbedb","name":"d1entsttlsr007.europe.aa.local","type":"filebeat"},"ecs":{"version":"8.0.0"},"message":"{\"payload\":{\"_id\":\"185292be-0ecc-4301-88fd-98eac8de94f3-3812872\",\"after\":{\"_id\":\"b28e8d51-b392-44c8-bfa9-b031c3b8eb0c\",\"_rev\":\"418f3aa6-1048-4a80-9484-2df27fcc36bf-858629\",\"accountStatus\":\"active\",\"aliasList\":[],\"assignedDashboard\":[],\"city\":\"Bath\",\"cn\":\"Will West\",\"consentedMappings\":[],\"country\":\"United Kingdom\",\"custom_IDD\":\"undefined\",\"custom_gender\":\"F\",\"custom_languageCodeID\":\"en-gb\",\"custom_mobilephone\":\"76581916480\",\"custom_title\":\"MR\",\"description\":null,\"displayName\":null,\"effectiveApplications\":[],\"effectiveAssignments\":[],\"effectiveGroups\":[],\"effectiveRoles\":[],\"frIndexedDate1\":null,\"frIndexedDate2\":null,\"frIndexedDate3\":null,\"frIndexedDate4\":null,\"frIndexedDate5\":null,\"frIndexedInteger1\":null,\"frIndexedInteger2\":null,\"frIndexedInteger3\":null,\"frIndexedInteger4\":null,\"frIndexedInteger5\":null,\"frIndexedMultivalued1\":[],\"frIndexedMultivalued2\":[],\"frIndexedMultivalued3\":[],\"frIndexedMultivalued4\":[],\"frIndexedMultivalued5\":[],\"frIndexedString1\":\"129447756\",\"frIndexedString2\":\"1/1/2000 12:00:00 AM\",\"frIndexedString3\":null,\"frIndexedString4\":null,\"frIndexedString5\":null,\"frUnindexedDate1\":null,\"frUnindexedDate2\":null,\"frUnindexedDate3\":null,\"frUnindexedDate4\":null,\"frUnindexedDate5\":null,\"frUnindexedInteger1\":null,\"frUnindexedInteger2\":null,\"frUnindexedInteger3\":null,\"frUnindexedInteger4\":null,\"frUnindexedInteger5\":null,\"frUnindexedMultivalued1\":[],\"frUnindexedMultivalued2\":[],\"frUnindexedMultivalued3\":[],\"frUnindexedMultivalued4\":[],\"frUnindexedMultivalued5\":[],\"frUnindexedString1\":null,\"frUnindexedString2\":null,\"frUnindexedString3\":null,\"frUnindexedString4\":null,\"frUnindexedString5\":null,\"givenName\":\"Will\",\"kbaInfo\":[],\"mail\":\"CapTest03022025LI3Gen_15402769@test.com\",\"memberOfOrgIDs\":[],\"postalAddress\":\"23 Lorne Road\",\"postalCode\":\"BA2 3BY\",\"preferences\":{\"ejpartnerupdateandoffer\":true,\"ejupdateandoffer\":true},\"profileImage\":null,\"sn\":\"West\",\"stateProvince\":\"UNDEFINED\",\"telephoneNumber\":null,\"userName\":\"CapTest03022025LI3Gen_15402769@test.com\"},\"before\":{\"_id\":\"b28e8d51-b392-44c8-bfa9-b031c3b8eb0c\",\"_rev\":\"418f3aa6-1048-4a80-9484-2df27fcc36bf-858533\",\"accountStatus\":\"active\",\"aliasList\":[],\"assignedDashboard\":[],\"city\":\"Bath\",\"cn\":\"Will West\",\"consentedMappings\":[],\"country\":\"United Kingdom\",\"custom_IDD\":\"undefined\",\"custom_gender\":\"F\",\"custom_languageCodeID\":\"en-gb\",\"custom_mobilephone\":\"25231149988\",\"custom_title\":\"MR\",\"description\":null,\"displayName\":null,\"effectiveApplications\":[],\"effectiveAssignments\":[],\"effectiveGroups\":[],\"effectiveRoles\":[],\"frIndexedDate1\":null,\"frIndexedDate2\":null,\"frIndexedDate3\":null,\"frIndexedDate4\":null,\"frIndexedDate5\":null,\"frIndexedInteger1\":null,\"frIndexedInteger2\":null,\"frIndexedInteger3\":null,\"frIndexedInteger4\":null,\"frIndexedInteger5\":null,\"frIndexedMultivalued1\":[],\"frIndexedMultivalued2\":[],\"frIndexedMultivalued3\":[],\"frIndexedMultivalued4\":[],\"frIndexedMultivalued5\":[],\"frIndexedString1\":\"129447756\",\"frIndexedString2\":\"1/1/2000 12:00:00 AM\",\"frIndexedString3\":null,\"frIndexedString4\":null,\"frIndexedString5\":null,\"frUnindexedDate1\":null,\"frUnindexedDate2\":null,\"frUnindexedDate3\":null,\"frUnindexedDate4\":null,\"frUnindexedDate5\":null,\"frUnindexedInteger1\":null,\"frUnindexedInteger2\":null,\"frUnindexedInteger3\":null,\"frUnindexedInteger4\":null,\"frUnindexedInteger5\":null,\"frUnindexedMultivalued1\":[],\"frUnindexedMultivalued2\":[],\"frUnindexedMultivalued3\":[],\"frUnindexedMultivalued4\":[],\"frUnindexedMultivalued5\":[],\"frUnindexedString1\":null,\"frUnindexedString2\":null,\"frUnindexedString3\":null,\"frUnindexedString4\":null,\"frUnindexedString5\":null,\"givenName\":\"Will\",\"kbaInfo\":[],\"mail\":\"CapTest03022025LI3Gen_15402769@test.com\",\"memberOfOrgIDs\":[],\"postalAddress\":\"23 Lorne Road\",\"postalCode\":\"BA2 3BY\",\"preferences\":{\"ejpartnerupdateandoffer\":true,\"ejupdateandoffer\":true},\"profileImage\":null,\"sn\":\"West\",\"stateProvince\":\"UNDEFINED\",\"telephoneNumber\":null,\"userName\":\"CapTest03022025LI3Gen_15402769@test.com\"},\"changedFields\":[],\"eventName\":\"activity\",\"level\":\"INFO\",\"message\":\"\",\"objectId\":\"managed/alpha_user/b28e8d51-b392-44c8-bfa9-b031c3b8eb0c\",\"operation\":\"PATCH\",\"passwordChanged\":false,\"revision\":\"418f3aa6-1048-4a80-9484-2df27fcc36bf-858629\",\"runAs\":\"idm-provisioning\",\"source\":\"audit\",\"status\":\"SUCCESS\",\"timestamp\":\"2025-02-18T15:50:58.294Z\",\"topic\":\"activity\",\"transactionId\":\"e6b42174-165f-43db-b464-135e0f369f6f/0/5\",\"userId\":\"idm-provisioning\"},\"source\":\"idm-activity\",\"timestamp\":\"2025-02-18T15:50:58.29472009Z\",\"type\":\"application/json\"}","event":{"created":"2025-02-18T15:51:49.117Z","dataset":"httpjson.generic"},"data_stream":{"namespace":"default","type":"logs","dataset":"httpjson.generic"},"elastic_agent":{"version":"8.15.2","id":"52887bbd-0645-4c47-8e63-4095f2705fa8","snapshot":false},"host":{"hostname":"d1entsttlsr007.europe.aa.local","architecture":"x86_64","os":{"kernel":"3.10.0-1160.118.1.el7.x86_64","codename":"Maipo","type":"linux","platform":"rhel","version":"7.7 (Maipo)","family":"redhat","name":"Red Hat Enterprise Linux Server"},"id":"69f417b1a15a420eb9acfd36802ff697","containerized":false,"ip":["10.178.2.12","fe80::477:70ff:fefe:3fdb"],"mac":["06-77-70-FE-3F-DB"],"name":"d1entsttlsr007.europe.aa.local"}}
Regards
Ereek