How to add a specific key to a field from a JSON format part

its-ogawa · May 7, 2021, 8:13am

I was able to get a JSON part from a message in grok.
I want to keep a specific key from the JSON part in a field, how can I do that?

target log:
... snip ... { ... snip ..., "api_code":"40216", ... snip ... } ... snip ...

my grok:

grok{
	"match" => { "message" => " ... snip ... (?<MY_JSON>\{.*\})( %{GREEDYDATA:message})? ... snip ..." }
}

result:
MY_JSON : { ... snip ..., "api_code":"40216", ... snip ... }

expect:

MY_JSON  : { ... snip ..., "api_code":"40216", ... snip ... }
api_code : 40216

its-ogawa · May 12, 2021, 1:56am

Can anyone give me some good ideas?

its-ogawa · May 12, 2021, 2:56am

Yeah. I see what you mean.

It looks like it uses the json plugin.

I thought I'd have to use regular expressions, but Logstash has a nice feature.

Here is the code I wrote.

if( [MY_JSON] ) {
  json {
    source => "MY_JSON"
  }
}

its-ogawa · May 12, 2021, 3:05am

Note that this method adds all the values in json format to the field.

If you don't want to include them in the field, use remove_field.

Topic		Replies	Views
Dissect json fields in a specific field Logstash	2	459	May 7, 2020
How to extract part of a string from a field in json format and put it into a self added field? Logstash	1	234	May 28, 2020
Json Parsing Logstash	8	337	November 10, 2021
Logstash adds fields to JSON by parsing another field Logstash	3	973	May 26, 2017
Logstash cannot extract json key Logstash	4	477	February 11, 2019