Grok csv+json

Colleagues, good afternoon.
Tell me I'm new to ELK. I have a log with the following file structure

2022-08-04T12:04:02,410|DEBUG|apg-b2p-keepr|instance_3|http-8343-exec-5345|gtwRequestOut.com.B2pGateway|POST /trnprocessor/identifiers/no=7000002198207624/sales|345435435435435|F|||||59111|{"queryParams":{},"request":"{"date":"2022-08-04T13:04:01","partner":"MMMM","coupons":[],"trnNo":"UAS_S_745f45f45f45f_AO45f45f4f45f45_34543543543_1","location":"9046546","cashdescOperationId":"9515CEBB-4454-45436-866776646B80","products":[{"discounted":true,"amount":446.25,"code":"7000004351407","quantity":1,"ECRInfo":"8d0367be-fbe1-433c-8854-04ac434eyuad","initialCost":525},{"discounted":true,"amount":446.25,"code":"7000001407","quantity":1,"ECRInfo":"aca6a7f7-0d52-400b-854d-5ee46752a94f","initialCost":525}]}"}

filter {
  if "perco_logs_l" in [tags] and [message] =~ "^\d\d\d\d-\d\d-\d\d" {

     csv {
       separator => "|"
       quote_char => "&"
       skip_empty_columns => true
       columns => ["real_timestamp","app","status","clm-app-name","task-status","java-class-method","called-metod","id-number-request","clm-channel","id-num$
     }

     date {
       match => [ "[real_timestamp]", "yyyy-MM-dd'T'HH:mm:ss,SSS" ]
     }

     mutate {
       strip => [status]
       remove_field => [real_timestamp]
     }
  }
}

How can I parse the values ​​that follow in square brackets?
I need the following fields and their values: date, amount, partner, location

Im use elk 7.10 version

up! need some help

JSON plugin cannot be used since {"queryParams" ... is not a valid JSON. You can set your own timezone in a date plugin.

Try this:

filter {
  if "perco_logs_l" in [tags] and [message] =~ "^\d\d\d\d-\d\d-\d\d" {

     csv {
       separator => "|"
       quote_char => "&"
       skip_empty_columns => true
       columns => ["real_timestamp","app","status","clm-app-name","task-status","java-class-method","called-metod","id-number-request","clm-channel","space1","space2", "space3", "space4", "id-num", "col-json"]
     }

    grok { 
       match => { "col-json" => '\"date\":\"%{DATA:date}\",\"partner\":\"%{DATA:partner}\",.*\"location\":\"%{DATA:location}\",.*\"amount\":%{NUMBER:amount},\"code\"' }
    }

     date {
       match => [ "[real_timestamp]", "ISO8601" ]
       #timezone => "Europe/Berlin"
     }
	 date {
       match => [ "date", "ISO8601" ]
	   target => "date"
       #timezone => "Europe/Berlin"
     }
    mutate{
       convert => {
          "amount" => "float"
       }
    }
 
     mutate {
       strip => [status]
       remove_field => [ "real_timestamp", "event", "message", "log" ]
     }
  }
}

This is the result:

{
          "task-status" => "http-8343-exec-5345",
             "col-json" => "{\"queryParams\":{},\"request\":\"{\"date\":\"2022-08-04T13:04:01\",\"partner\":\"MMMM\",\"coupons\":[],\"trnNo\":\"UAS_S_745f45f45f45f_AO45f45f4f45f45_34543543543_1\",\"location\":\"9046546\",\"cashdescOperationId\":\"9515CEBB-4454-45436-866776646B80\",\"products\":[{\"discounted\":true,\"amount\":446.25,\"code\":\"7000004351407\",\"quantity\":1,\"ECRInfo\":\"8d0367be-fbe1-433c-8854-04ac434eyuad\",\"initialCost\":525},{\"discounted\":true,\"amount\":446.25,\"code\":\"7000001407\",\"quantity\":1,\"ECRInfo\":\"aca6a7f7-0d52-400b-854d-5ee46752a94f\",\"initialCost\":525}]}\"}",
           "@timestamp" => 2022-08-04T10:05:02.410Z,
              "partner" => "MMMM",
             "location" => "9046546",
             "@version" => "1",
         "called-metod" => "POST /trnprocessor/identifiers/no=7000002198207624/sales",
               "status" => "apg-b2p-keepr",
          "clm-channel" => "F",
               "id-num" => "59111",
    "java-class-method" => "gtwRequestOut.com.B2pGateway",
               "amount" => 446.25,
    "id-number-request" => "345435435435435",
                 "date" => 2022-08-04T11:04:01.000Z,
         "clm-app-name" => "instance_3",
                  "app" => "DEBUG"
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.