Grok everything until a character and include that character in a field

pdna · March 1, 2018, 4:46pm

{"level":"error","message":"Token Generation Failed {\"error\":{}}","timestamp":"2017-11-15T17:58:00.402Z"}
In the message field, I want to extract everything until { character as message_type and store everything starting { as message including {. I'd appreciate any suggestions.

Note: I have set config.support_escapes: true in my logstash.yml to parse JSON.

filter {
#the following json filter would extract the fields level, message and timestamp
  json {
    source => "message"
  }
#I want to extract everything until { character as message_type and store everything starting { as message including {. I wonder if I have to add a double quote before this { 
  grok {
    match => { "message" => ["(%{DATA:message_type})?{{DATA:message}"] }
  }
#further parsing of json message
  json {
    source => "message"
  }
}

The following log is grokked successfully by the filter since it doesn't have a message type in it
{"level":"debug","message":"{\"code\":\"Access-Request\",\"identifier\":0,\"attributes\":[[\"User-Name\",\"ab@example.com\"]]}","timestamp":"2017-11-15T17:58:02.793Z"}

magnusbaeck · March 1, 2018, 8:02pm

[^{]* matches zero or more characters of any kind except {. (You might have to escape the closing brace with a backslash.)

system · March 29, 2018, 8:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash extract additional fields from message field of Json Logstash	3	687	September 13, 2021
How to extract json out of an event? Logstash	9	2491	July 12, 2018
Parsing of a sub-element Logstash	3	324	August 8, 2019
How to parse date field into @timestamp Logstash	12	235	January 24, 2024
Basic grok query - logstash Logstash	6	256	October 13, 2019

Grok everything until a character and include that character in a field

Related topics