Extracting nested fileds with grok or kv

cass1ope1a · December 21, 2023, 7:29am

I have logs like:
Server response. Body={"valid":[{"someId":"12345","someType":"somevalue123","isSome":true}],"invalid":[]}

current pipeline config:

    if [syslog_tag] =~ "json" {
      json {
        source => root_message
      }
      mutate {
        remove_field => ["root_message"]
      }
    }

I need to extract fields (someType, someId, etc..) to Kibana for using filter

Instead of: message: "somevalue123" AND message: "12345"
I wanna use someType: "somevalue123" AND someId: "12345"

I've tried to change pipeline config like this:

    if [syslog_tag] =~ "json" {
      json {
        source => root_message
      }
      mutate {
        remove_field => ["root_message"]
      }
      grok {
        match => { message => "%{GREEDYDATA:message} Body=%{GREEDYDATA:json_message} "}
      }
      json {
        source => json_message
      }
      mutate {
        remove_filed => ["json_message"]
      }
    }

But it doesn't work

What should I fix in config to make it? Maybe I should use kv?

system · January 18, 2024, 7:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.