How to grok a text containing json

ssasporta · July 22, 2017, 1:14am

I don't really understand how to grok the below text ?
The response itself also needs to be pars.
At least I Need an example for it.

 Timestamp:2017-07-21 17:32:32.778
*********************************************************************************************************************************
{
  "timestamp" : 1500676355572,
  "severity" : "Error",
  "userAgent" : "Mozilla/5.0 (Linux; Android 5.1.1; KFGIWI Build/LVY48F) AppleWebKit/537.36 (KHTML, like Gecko) Silk/59.3.1 like Chrome/59.0.3071.117 Safari/537.36",
  "raw" : {
    "requestUrl" : "ecommerce/subscription-info",
    "response" : "{\"errorCode\":\"000101\",\"errorMessage\":\"An error occurred calling backend application\",\"transactionId\":\"6cc771ff-d266-4b2e-981b-c07959559166\"}"
  }

Thanks
Sharon.

magnusbaeck · July 25, 2017, 8:58pm

Use a multiline codec to join these lines into a single event.
Use a grok filter to separate the initial "Timestamp" and "*****..." lines from the JSON string that follows.
Use a json filter to parse the JSON string that the grok filter extracted into a field of its own.
Use a second json filter to parse the JSON string in the [raw][response] field created by the first json filter.

system · August 22, 2017, 8:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.