I am still fairly new to Logstash and I am starting to get on the tips of my skates when comes to understanding how to do what I need to.
I am receiving JSON from a device (via HTTP payload) and it is super easy to slap it into ElasticSearch that way. However, one of the fields has info in it that I want to parse out and generate a new field based on what is in it. I know how to use the grok parser if the whole thing is string (like syslog) but I can't figure out how to do it if it is in JSON.
Here is example output from what I have now:
`
{
"headers" => {
"http_accept" => "*/*",
"content_type" => "application/json",
"request_path" => "/test-api",
"http_version" => "HTTP/1.1",
"request_method" => "POST",
"http_host" => "192.168.86.140:9563",
"request_uri" => "/test-api",
"content_length" => "374"
},
"domain_id" => "Suspicious domain seen (domain.name:xiterzao.ddns.net)(654391)",
"rule" => "domain_rule",
"dst_ip" => "192.168.55.2",
"domain_category" => "external",
"tags" => [
[0] "DNS"
],
"src_ip" => "192.168.45.132",
"processed" => "0",
"device_name" => "MXVM",
"@timestamp" => 2017-11-22T23:31:11.455Z,
"received_at" => "2017-11-22T23:31:11.455Z",
"@version" => "1",
"host" => "192.168.86.122",
"monitor_tag" => "",
"msg_gen_time" => "2017/11/22 15:31:12"
}
`
Here is the conf file I am using:
input {
http {
host => "192.168.86.140"
port => '9563'
}
}
filter {
grok {
match => {"message" => "%{GREEDYDATA:msg_body}"}
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "processed", 0 ]
add_tag => [ "DNS" ]
}
if "Suspicious domain seen" in ["domain_id"] {
mutate {
add_field => [ "it_worked", "True" ]
}
}
}
output {
if "DNS" in [tags] {
elasticsearch {
hosts => ["192.168.86.140:9200"]
index => ["dns"]
}
}
stdout { codec => rubydebug }
}
I tried adding the if conditional in there to see if I could even grab the right thing but I don't get that in the output, so I guess I am looking at it in the wrong way. I tried with ["domain_id"] =~ "Suspicious domain seen" as well and I get the same result.
What I ultimately want to do is create a new field (domain) with the above "xiterzao.ddns.net" extracted from domain_id value and add that to the output as well because I need to pull it from ElasticSearch later and do a lookup in another application on it.
Don't know, maybe I have been just looking at this too long (all day) and am overthinking it. Thanks for any help.