How to filter a specific JSON message

Elastic Stack Logstash
1

Hey guys, how are you? Someone can tell me how I send a specific data from a JSON message, I would like to send the message field "" Broser: chrome "" to elastisearch

My question is as a filter to find that specific data in the JSON file

json attached

{
  "_index": "logstash",
  "_type": "_doc",
  "_id": "qHO_-28BpR7vR_VN3zs_",
  "_version": 1,
  "_score": null,
  "_source": {
    "@buildTimestamp": "2020-01-31T10:13:59.203-0300",
    "@version": 1,
    "port": 53930,
    "@timestamp": "2020-01-31T13:17:32.406Z",
    "host": "activation.cloud.techsmith.com",
    "message": [
      "Lanzada por el usuario Jose Miguel Lopez Guevara",
      "Running as SYSTEM",
      "Ejecutando.en el espacio de trabajo C:\\Program Files (x86)\\Jenkins\\workspace\\Test",
      "using credential JoseGitHub",
      " > git.exe rev-parse --is-inside-work-tree # timeout=10",
      "Fetching changes from the remote Git repository",
      " > git.exe config remote.origin.url https://github.com/pedro2/CI-manzanas-Labs.git # timeout=10",
      "Fetching upstream changes from https://github.com/pedro2/CI-manzanas-Labs.git",
      " > git.exe --version # timeout=10",
      "using GIT_ASKPASS to set credentials Usuario de GitHub",
      " > git.exe fetch --tags --progress -- https://github.com/pedro2/CI-manzanas-Labs.git +refs/heads/*:refs/remotes/origin/* # timeout=10",
      " > git.exe rev-parse \"refs/remotes/origin/joseBueno^{commit}\" # timeout=10",
      " > git.exe rev-parse \"refs/remotes/origin/origin/joseBueno^{commit}\" # timeout=10",
      "Checking out Revision be3489f104da66497cba0d7fd9dd3a04a26b5352 (refs/remotes/origin/joseBueno)",
      " > git.exe config core.sparsecheckout # timeout=10",
      " > git.exe checkout -f be3489f104da66497cba0d7fd9dd3a04a26b5352 # timeout=10",
      "Commit message: \"Cambio con nombre de browser\"",
      " > git.exe rev-list --no-walk be3489f104da66497cba0d7fd9dd3a04a26b5352 # timeout=10",
      "Parsing POMs",
      "Established TCP socket on 53640",
      "[Test] $ \"C:\\Program Files\\Java\\jdk1.8.0_231/bin/java\" -cp \"C:\\Program Files (x86)\\Jenkins\\plugins\\maven-plugin\\WEB-INF\\lib\\maven35-agent-1.13.jar;C:\\Program Files\\apache-maven-3.6.2\\boot\\plexus-classworlds-2.6.0.jar;C:\\Program Files\\apache-maven-3.6.2/conf/logging\" jenkins.maven3.agent.Maven35Main \"C:\\Program Files\\apache-maven-3.6.2\" \"C:\\Program Files (x86)\\Jenkins\\war\\WEB-INF\\lib\\remoting-3.36.jar\" \"C:\\Program Files (x86)\\Jenkins\\plugins\\maven-plugin\\WEB-INF\\lib\\maven35-interceptor-1.13.jar\" \"C:\\Program Files (x86)\\Jenkins\\plugins\\maven-plugin\\WEB-INF\\lib\\maven3-interceptor-commons-1.13.jar\" 53640",
      "<===[JENKINS REMOTING CAPACITY]===>\u0000\u0000\u0000channel started",
      "Executing Maven:  -B -f C:\\Program Files (x86)\\Jenkins\\workspace\\Test\\pom.xml clean test",
      "[INFO] Scanning for projects...",
      "[INFO] ",
      "[INFO] --------------------------< Demo_BD:Demo_BD >---------------------------",
      "[INFO] Building Demo_BD 0.0.1-SNAPSHOT",
      "[INFO] --------------------------------[ jar ]---------------------------------",
      "[INFO] ",
      "[INFO] --- maven-clean-plugin:2.5:clean (default-clean) @ Demo_BD ---",
      "[INFO] Deleting C:\\Program Files (x86)\\Jenkins\\workspace\\Test\\target",
      "[INFO] ",
      "[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ Demo_BD ---",
      "[WARNING] Using platform encoding (Cp1252 actually) to copy filtered resources, i.e. build is platform dependent!",
      "[INFO] skip non existing resourceDirectory C:\\Program Files (x86)\\Jenkins\\workspace\\Test\\src\\main\\resources",
      "[INFO] ",
      "[INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ Demo_BD ---",
      "[INFO] No sources to compile",
      "[INFO] ",
      "[INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ Demo_BD ---",
      "[WARNING] Using platform encoding (Cp1252 actually) to copy filtered resources, i.e. build is platform dependent!",
      "[INFO] Copying 4 resources",
      "[INFO] ",
      "[INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ Demo_BD ---",
      "[INFO] Changes detected - recompiling the module!",
      "[WARNING] File encoding has not been set, using platform encoding Cp1252, i.e. build is platform dependent!",
      "[INFO] Compiling 11 source files to C:\\Program Files (x86)\\Jenkins\\workspace\\Test\\target\\test-classes",
      "[INFO] ",
      "[INFO] --- maven-surefire-plugin:3.0.0-M3:test (default-test) @ Demo_BD ---",
      "[INFO] ",
      "[INFO] -------------------------------------------------------",
      "[INFO]  T E S T S",
      "[INFO] -------------------------------------------------------",
      "[INFO] Running TestSuite",
      "SLF4J: Failed to load class \"org.slf4j.impl.StaticLoggerBinder\".",
      "SLF4J: Defaulting to no-operation (NOP) logger implementation",
      "SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.",
      "Broser: chrome",
      "ene 31, 2020 10:15:05 AM org.openqa.selenium.remote.ProtocolHandshake createSession",
      "INFORMACIÓN: Detected dialect: W3C",
      "Broser: chrome",
      "ene 31, 2020 10:16:27 AM org.openqa.selenium.remote.ProtocolHandshake createSession",
      "INFORMACIÓN: Detected dialect: W3C",
      "[ERROR] Tests run: 3, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 152.541 s <<< FAILURE! - in TestSuite",
      "[ERROR] configSelenium(cl.manzanas.qa.tests.Test_Selenium_Firefox)  Time elapsed: 17.993 s  <<< FAILURE!",
      "org.openqa.selenium.WebDriverException: ",
      "New session attempts retry count exceeded (WARNING: The server did not provide any stacktrace information)",
      "Command duration or timeout: 40.52 seconds",
      "Build info: version: '3.141.59', revision: 'e82be7d358', time: '2018-11-14T08:17:03'",
      "System info: host: 'NOTEBOOK-230', ip: '192.168.99.1', os.name: 'Windows 10', os.arch: 'amd64', os.version: '10.0', java.version: '1.8.0_231'",
      "Driver info: driver.version: RemoteWebDriver",
      "\tat cl.manzanas.qa.tests.Test_Selenium_Firefox.configSelenium(Test_Selenium_Firefox.java:107)",
      "",
    "Please refer to C:\\Program Files (x86)\\Jenkins\\workspace\\Test\\target\\surefire-reports for the individual test results.",
      "Please refer to dump files (if any exist) [date].dump, [date]-jvmRun[N].dump and [date].dumpstream.",
      "[JENKINS] Guardando informes de test",
      "[INFO] ------------------------------------------------------------------------",
      "[INFO] BUILD SUCCESS",
      "[INFO] ------------------------------------------------------------------------",
      "[INFO] Total time:  02:59 min",
      "[INFO] Finished at: 2020-01-31T10:17:25-03:00",
      "[INFO] ------------------------------------------------------------------------",
      "Esperando a que Jenkins finalice de recopilar datos",
      "[JENKINS] Archiving C:\\Program Files (x86)\\Jenkins\\workspace\\Test\\pom.xml to Demo_BD/Demo_BD/0.0.1-SNAPSHOT/Demo_BD-0.0.1-SNAPSHOT.pom",
      "channel stopped"
    ],
    "source_host": "http://localhost:8080/",
  ]
}
2

my logstash.conf

input {

  tcp {

    port => 6969

    codec => json

  }

}

filter {

  json{

        source => "message"

        target => "message"

    }

 # mutate{

 #   split => ["source", "|"]

 # }

#~

#if [message] =~ "[0-9|A-Z]{11}"{

if "Chrome" in [message] { drop { } 

  mutate{

      add_field => {"browser" => "Chrome"}

  }

}

else

{

  mutate{

    add_field => {"browser" => "Firefox"}

  }

}

date {

match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]

}

mutate{

  remove_field => "message"

}

}

output {

  elasticsearch {

    hosts => ["http://localhost:9200"]

   # index => "%{[@metadata][tcp]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"

   index => "prueba"

    #user => "elastic"

    #password => "changeme"

  }

  stdout { codec => rubydebug }

}
3

si alguien tiene la misma duda, para filtrar mensajes específico se realiza de la siguiente forma

if /Browser: chrome/ in [message]{ mutate{ add_field => {"browser" => "Chrome"}}}

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.