Extracting JSON and Parsing it

Vedran_Maricevic · May 12, 2017, 9:57am

I have a JSON log that comes to Logstash.
It looks like this:

 [{"orderNumber":"xxxxxxxx","externalOrderNumber":"07efc4c7d3113453427f7fe525e22a61e","operation":{"name":"CAPTURE","amount":990,"status":"PENDING","createdAt":"2011-05-11T04:58:21.187Z","updatedAt":{}}}]
 [{"paymentMethod":"Card","transactionId":"331d83fd-2456-48320-842a-f4122aa311e1","orderStatus":"SUCCESS","statuses":[{"amount":990,"operation":"CAPTURE","status":"SUCCESS","createdAt":"2012-05-11T04:58:26.252Z"},{"amount":990,"operation":"CAPTURE","status":"PENDING","createdAt":"2012-05-11T04:58:26.224Z"},{"amount":990,"operation":"AUTHORISE","status":"SUCCESS","createdAt":"2012-05-11T04:58:26.198Z"},{"amount":990,"operation":"AUTHORISE","status":"PENDING","createdAt":"2012-05-11T04:58:16.304Z"}]}]

Which is basically [{SOMEJSON}][{MOREJSON}]

I was thinking to do a patter where I grab the first "[" then I do %{GREEDYDATA:firstjson} until the ]. The simply repeat the procedure.

I was not successfull in making this happen

magnusbaeck · May 12, 2017, 10:00am

That approach should work. What did you try, exactly?

Vedran_Maricevic · May 12, 2017, 10:14am

To be honest I am stuck at the start. How do I start with the character '['. and end it with ']'

Vedran_Maricevic · May 12, 2017, 10:27am

This line:

grok {
match => { "message" => "[%{GREEDYDATA:firstjson}]"}
}
Takes it all. It does not stop at the ]

magnusbaeck · May 12, 2017, 1:13pm

match => { "message" => "^\[%{GREEDYDATA:firstjson}\]$"}

I'd expect it to be faster to use a mutate filter and its gsub option to remove leading and trailing square brackets.

system · June 9, 2017, 1:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.