How can i filter this pattern?

Ramon_Mateo · March 17, 2020, 9:27am

Hi

I try to filter this

> \"tenantID\": 80334, \"Size\": 11.42, \"FirstDate\": \"15/03/2020 00:09:47\", \"LastDate\": \"15/03/2020 23:59:17\"

i need this:

tenantID: 80334
Size: 11.42
FirstDate: 15/03/2020 00:09:47
LastDate: 15/03/2020 23:59:17

But i don't know how to do a patter that grook filter data that indicate in black.

Can you help me? I tried a lot of times but i don't know how to get all data that i need with grok. Thanks for advanced!

Fabio-sama · March 17, 2020, 10:03am

Hello there,

what you want to do does not sound difficult (if I got it right) but can you please post here ( properly spaced and formatted ) the output of the following pipeline first?

input {
  whatever your input is
}

filter {}

output {
  stdout{}
}

I'd like to see what your logs look like to logstash. Thanks

Ramon_Mateo · March 17, 2020, 10:07am

Hi

Thanks for respond.

This is the output of pipeline show for terminal:

\"tenantID\": 80334, \"Size\": 11.42, \"FirstDate\": \"15/03/2020 00:09:47\", \"LastDate\": \"15/03/2020 23:59:17\"

All of this

Fabio-sama · March 17, 2020, 10:29am

Hi there,

this cannot be the output of the terminal since you should have something like:

{
  "@version" => "..."
  "@timestamp" => "..."
  "message" => "..."
  etc...
}

Ramon_Mateo · March 17, 2020, 10:46am

 {
logstash         |     "message" => "{\"tenantID\": 81183, \"Size\": 8.54, \"FirstDate\": \"14/03/2020 07:12:18\", \"LastDate\": \"14/03/2020 11:42:09\"}"
logstash         | }

I have a mutate that remove @timestampt etc...
Thanks for your help!

Fabio-sama · March 17, 2020, 10:54am

Ok so, if your message is a perfect json, try this:

input {
  stdin{}
}

filter {
  json {
    source => "message"
  }
}

output {
  stdout{}
}

You should get something like the following:

{
      "LastDate" => "14/03/2020 11:42:09",
      "tenantID" => 81183,
     "FirstDate" => "14/03/2020 07:12:18",
       "message" => "{\"tenantID\": 81183, \"Size\": 8.54, \"FirstDate\": \"14/03/2020 07:12:18\", \"LastDate\": \"14/03/2020 11:42:09\"}",
          "Size" => 8.54
}

NOTE: obviously I meant the filter section, that one is the exact pipeline I used to test your input, setting as input {"tenantID": 81183, "Size": 8.54, "FirstDate": "14/03/2020 07:12:18", "LastDate": "14/03/2020 11:42:09"}

Ramon_Mateo · March 17, 2020, 11:28am

It works, thanks!!!!

Fabio-sama · March 17, 2020, 11:40am

No problem. I only ask you to mark my answer as a solution, so future readers will see this thread has been solved.

Thanks.

Ramon_Mateo · March 17, 2020, 11:42am

Do it. Thanks!

system · April 14, 2020, 11:42am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.