How to add a specific key to a field from a JSON format part

its-ogawa · May 7, 2021, 8:13am

I was able to get a JSON part from a message in grok.
I want to keep a specific key from the JSON part in a field, how can I do that?

target log:
... snip ... { ... snip ..., "api_code":"40216", ... snip ... } ... snip ...

my grok:

grok{
	"match" => { "message" => " ... snip ... (?<MY_JSON>\{.*\})( %{GREEDYDATA:message})? ... snip ..." }
}

result:
MY_JSON : { ... snip ..., "api_code":"40216", ... snip ... }

expect:

MY_JSON  : { ... snip ..., "api_code":"40216", ... snip ... }
api_code : 40216

its-ogawa · May 12, 2021, 1:56am

Can anyone give me some good ideas?

its-ogawa · May 12, 2021, 2:56am

Yeah. I see what you mean.

It looks like it uses the json plugin.

I thought I'd have to use regular expressions, but Logstash has a nice feature.

Here is the code I wrote.

if( [MY_JSON] ) {
  json {
    source => "MY_JSON"
  }
}

its-ogawa · May 12, 2021, 3:05am

Note that this method adds all the values in json format to the field.

If you don't want to include them in the field, use remove_field.

system · June 9, 2021, 3:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.