Grok everything until a character and include that character in a field

pdna · March 1, 2018, 4:46pm

{"level":"error","message":"Token Generation Failed {\"error\":{}}","timestamp":"2017-11-15T17:58:00.402Z"}
In the message field, I want to extract everything until { character as message_type and store everything starting { as message including {. I'd appreciate any suggestions.

Note: I have set config.support_escapes: true in my logstash.yml to parse JSON.

filter {
#the following json filter would extract the fields level, message and timestamp
  json {
    source => "message"
  }
#I want to extract everything until { character as message_type and store everything starting { as message including {. I wonder if I have to add a double quote before this { 
  grok {
    match => { "message" => ["(%{DATA:message_type})?{{DATA:message}"] }
  }
#further parsing of json message
  json {
    source => "message"
  }
}

The following log is grokked successfully by the filter since it doesn't have a message type in it
{"level":"debug","message":"{\"code\":\"Access-Request\",\"identifier\":0,\"attributes\":[[\"User-Name\",\"ab@example.com\"]]}","timestamp":"2017-11-15T17:58:02.793Z"}

magnusbaeck · March 1, 2018, 8:02pm

[^{]* matches zero or more characters of any kind except {. (You might have to escape the closing brace with a backslash.)

system · March 29, 2018, 8:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.