How does Logstash parsing the below events into correct json data?

Robin_Guo · January 28, 2019, 10:59am

Note: the raw PHP larval log is consist of JSON object format text and non-JSON format text

Original PHP larval log:

[2019-01-28 02:28:22] prod.INFO: {"database":"test10","type":"form","id":"20821","comment":"passback:792","timestamp":"2019-01-28 02:28:22"}

log is collected by filebeat ,output to logstash and logstash output to local file

{
  "info": "{\"database\":\"test10\",\"type\":\"form\",\"id\":\"19860\",\"comment\":\"passback:792\",\"timestamp\":\"2019-01-28 02:27:39\"}"
}

The output I wanted

{"info":{"database":"test10","type":"form","id":"19860","comment":"passback:792","timestamp":"2019-01-28 02:27:39"}}

logstash conf:

#logstash for pipeline filebeat
input {
  beats {
   port => 5058
    }
}

filter {

  if [service] =~ "datapurge-log" {
     grok {
       match => ["message", "%{UNUSED_TIME:unused_time} %{UNUSED_TYPE:unused_type}\: %{INFO:info}"]
     }
     mutate {
       remove_field=> ["[beat][version]","[beat][hostname]","[host][name]","[input][type]","[prospector][type]","[offset]","[message]"],
       gsub => ["info", "[\\]", ""]
     }

   }
}

output {
   if "_grokparsefailure"  not in [tags] {
     file {
       path => "/tmp/datapurge-log"
     }
   }

Badger · January 28, 2019, 2:32pm

I would suggest chopping up the message using a dissect filter, then using a json filter to parse it.

dissect { mapping => { "message" => "[%{} %{}] %{}: %{msg}" } }

Robin_Guo · January 30, 2019, 3:00am

Hi @Badger,

we ship logs like this: filebeat->logstash->ES

when the Original PHP larval log is collected by filebeat, the event is added to the key message. and all hash within the JSON object was added the escape character \.
my requirement is that remove strings both [2019-01-28 02:28:22] prod.INFO: and escape character \ in the hash of the whole JSON object.

PS:

Before collecting:

[2019-01-28 02:28:22] prod.INFO: {"database":"test10","type":"form","id":"20821","comment":"passback:792","timestamp":"2019-01-28 02:28:22"}

After collecting：

{
 "message": "[2019-01-28 02:28:22] prod.INFO: "{\"database\":\"test10\",\"type\":\"form\",\"id\":\"19860\",\"comment\":\"passback:792\",\"timestamp\":\"2019-01-28 02:27:39\"}"}
}

Any help or Suggestion would be appreciate！

Thanks in advance

Badger · January 30, 2019, 1:37pm

As I said, use the dissect filter that I showed to parse the message, then use a json filter to parse the field that contains the JSON.

Topic		Replies	Views
Parse json format logagregator logs in logstash Logstash	4	533	June 24, 2019
Parse string escaped JSON inside message Logstash	3	3359	May 22, 2019
Parsing quoted and escaped json events Logstash	1	257	May 3, 2021
How to parse log file with different log types with json Logstash	4	669	June 20, 2022
Advice on parsing a JSON log Logstash	5	481	November 7, 2019

How does Logstash parsing the below events into correct json data?

Related topics