Filter JSON content in field and parse target with existing mapping

baba · May 17, 2018, 2:12pm

Hi,
I'm trying to filter a second type of messages coming in my input queue.
The difference between messages is that in the second type of messages the log is embedded in a JSON as value of the "Message" field. I configured the JSON filter plugin as follow:

filter {
  json {
    source => "Message"
    target => "doc"
    remove_field => ["Message"]
  }
}

As expected the JSON parsed value of "Message" is placed in the new field "doc". Now, I'm struggling to further parse the "doc" nested fields. I'm using the add_field parameter to do this, without success tho.

Badger · May 17, 2018, 3:15pm

Can you show us what the doc field looks like and explain exactly what you want to parse from it?

baba · May 17, 2018, 3:35pm

Here's an example:

{
      "filename" => "fixtures/sqs.py",
    "@timestamp" => 2018-05-17T15:34:00.215Z,
         "cg_id" => "c6b46234-74d1-45dd-ab3e-1402b2f7147b",
      "@version" => "1",
          "name" => "mex-test",
       "message" => "This is a manually inserted message",
           "env" => "testing",
     "levelname" => "INFO",
        "region" => "local",
      "customer" => "TestCustomerCG",
          "tags" => [
        [0] "_dateparsefailure"
    ]
}
{
          "Type" => "Notification",
    "@timestamp" => 2018-05-17T15:34:00.268Z,
      "@version" => "1",
          "json" => "{\"_id\": null, \"levelname\": \"INFO\", \"asctime\": \"2018/05/11 16:02:14.209597\", \"customer\": \"TestCustomerCG\", \"message\": \"This is a manually inserted message as wrapped by SNS\", \"name\": \"test-logger\", \"funcName\": \"<module>\", \"filename\": \"fixtures/sqs.py\", \"env\": \"testing\", \"region\": \"local\"}"

So basically I need the nested field in "json" to be unwrapped and shown as the fields of the first message.

sgalinma · May 17, 2018, 3:52pm

Have you tried using "codec" => "json" in your output plugin?

baba · May 17, 2018, 3:58pm

Yes, nothing changes

Badger · May 17, 2018, 4:39pm

So you have json in a field called json. Use a json filter to parse it.

json { source => "json" target => "someField" }

system · June 14, 2018, 4:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to parse nested json using logstash json filter Logstash	6	1187	October 16, 2019
To get message field for json filter Logstash	6	236	August 9, 2023
Json filter message filed Logstash	4	270	July 7, 2020
Json { source => "message" } not parsing all of it Logstash	21	1615	March 22, 2022
How to use the JSON filter correctly? Logstash	14	1912	August 25, 2023

Filter JSON content in field and parse target with existing mapping

Related topics