Help with logstash config

logstashleaner · September 18, 2018, 3:30am

Hello,

I need some help in how we can parse logs in the following format. Have been trying using grok and csv but have not been able to parse the logs.

Any help will be really helpful.

{"ts":"2018-09-17T11:04:14.763","pid":27360,"tid":"69bc","sev":"info","req":"-","sess":"-","site":"{A07C2521-8B1E-4952-9FF1-F0E4AD54EC77}","user":"-","k":"begin-query","v":{"protocol-id":-1,"query":"SELECT ""."" AS ""\nFROM ""."" ""\n INNER JOIN ""."" "" ON ((""","query-category":"Unknown","query-hash":1449155313},"ctx":{"client-type":"dataserver","procid":"14888","requestID":"W5-CZWnpDdBwrsK9OUbR8gAAA@E","sessionid":"2B19A8A0D77E4C3AB34C81238C87F881-1:0","tid":"20548","username":"abc@temp.com"}}

magnusbaeck · September 18, 2018, 6:34am

That's a JSON string so you should use a json filter or possibly json or json_lines codec to parse it.

logstashleaner · September 18, 2018, 10:18pm

Thanks a lot! That helped.

I have another issue now, so for case where there is a json message inside a json message

The fields get split as
ctx.tid,
ctx.username
v.query-category
v.query-hash

and so on...

If i have to update any of the field or remove any of the field if i use ctx.tid or ctx.username it does now work

could you please help me with how to work with fields which are json within a json

logstashleaner · September 18, 2018, 10:49pm

Got it from your comments form another post by someone
had to access it as [v][query-category] and so on

Thanks again!

Topic		Replies	Views
Parse Json Logs using logstash Logstash	2	343	March 25, 2021
How to parse custom logs with nested jsons Logstash	2	399	August 14, 2017
Mixed log with json field Logstash	9	3501	July 6, 2017
How to parse nested logs with JSON through logstash Logstash	5	3431	August 19, 2020
How to parse json inside text line Logstash	18	4126	November 7, 2019

Help with logstash config

Related topics