# Capture the JSON after payload, then remove it
grok { match => { "message" => '>",(?<endOfJson>[^>]+)$' } }
mutate { gsub => [ "message", ">[^>]+$", "" ] }
# Split the remainder into the initial JSON and the payload
dissect { mapping => { "message" => '%{startOfJson}"payload":"%{payload}' } }
# Fix up the XML. I am mystified where that >> comes from, but get rid of it!
mutate { gsub => [ "payload", "<", "<", "payload", "$", ">" , "payload", ">>", ">" ] }
# Parse the XML
xml { source => "payload" store_xml => true target => "theXML" force_array => false }
# Create some valid json and parse it. Use target in json filter?
mutate { add_field => { "wholeJson" => "%{startOfJson}%{endOfJson}" } }
json { source => "wholeJson" }
#mutate { remove_field => [ "startOfJson", "endOfJson", "wholeJson", "payload" ] }
And if you do not like the format of DynamicHeaders then you can change it using this.