Extracting some JSON fields from the message

hs_shaikh · February 7, 2022, 1:49pm

Hello there, I want to extract "applicationOwner" and "proxyResponseCode" JSON fields from my message

My message filed look like this:

message": "TID: [-1234] [2022-02-07 18:59:15,667] INFO {org.wso2.am.analytics.publisher.sample.reporter.LogCounterMetric} - Metric Name: apim:response Metric Value: {proxyResponseCode=500, errorType=null, applicationOwner=admin, , apiType=HTTP}"

I tried JSON source but it's not working

Error parsing json {:source=>"message" <LogStash::Json::ParserError: Unrecognized token 'TID': was expecting ('true', 'false' or 'null')

sholzhauer · February 7, 2022, 2:02pm

Hi, you will have to use two parsers/processors.
Below example is in logstash:

filter {
  grok {
    match => [ "TID: \[%{DATA}\] \[%{DATA\] \[%{DATA:timestamp}\] %{WORD:log_lvl} %{GREEDYDATA:json_src}" ]
  }

  json {
    source => "json_src"
  }
}

This will first parse the line and take the non json part out, or more accuratly put the json part in its own field. You can then use the json parser on that field.

This example puts all fields at the root btw.

hs_shaikh · February 7, 2022, 3:06pm

Hi @sholzhauer I tried the above solution but it's giving me grok plugin error, I tried updating it as :-

grok {
    match =>{ "message" => [ "TID: [%{DATA}] [%{DATA}] [%{DATA:timestamp}] %{WORD:log_lvl} %{GREEDYDATA:json_src}" ]
  }
}
  json {
    source => "json_src"
  }

But it doesn't change anything

sholzhauer · February 7, 2022, 3:10pm

I put one \[%{DATA}\] to much in the pattern, it should be

TID: \[%{DATA}\] \[%{DATA:timestamp}\] %{WORD:log_lvl} %{GREEDYDATA:json_src}

hs_shaikh · February 8, 2022, 9:42am

Hi @sholzhauer thanks for the pattern it created a field as

json_src": {org.wso2.am.analytics.publisher.sample.reporter.LogCounterMetric} - Metric Name: apim:response Metric Value: {proxyResponseCode=500, errorType=null, applicationOwner=admin, , apiType=HTTP}

How can I extract applicationOwner from that and create a new field?

sholzhauer · February 8, 2022, 11:08am

You do so by using the second part:

json {
  source => "json_src"
}

This will extract the json to the root level. Although i'm not entirely sure if this will correctly parse correctly due to the whitespaces and = instead of :

Badger · February 8, 2022, 5:37pm

You could try

    grok { match => { "message" => "{(?<[@metadata][kvData]>[^}]+)}$" } }
    kv { source => "[@metadata][kvData]" field_split => "," trim_key => " " }

which will produce

          "apiType" => "HTTP",
"proxyResponseCode" => "500",
        "errorType" => "null",
 "applicationOwner" => "admin"

system · March 8, 2022, 5:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.