Hi,
I tried to break it for small pieces but still can't cross this rock.
I would like that every field of the json will have a unique target line but in the same entry.
Anyway, nothing is working to me.
This is my input:
Timestamp:2017-05-24 09:43:11.733 "requestUrl" : "ecommerce/user/register", "response" : "{"errorCode":"000202","errorMessage":"One or more inputs are invalid","transactionId":"af280fcb-1e5b-4731-a11e-d11b1f286e34"}"
This is my logstash filter
if [type] == "json1" {
mutate {
uppercase => [ "severity" ]
}
grok {
tag_on_failure => ["_grokparsefailure" , "_jsonparsefailure" ]
break_on_match => true
keep_empty_captures => false
match => { "message" => "Timestamp:%{TIMESTAMP_ISO8601:timestamp} %{GREEDYDATA:jsonstring}"
}
patterns_dir => "/etc/logstash/patterns"
}
date {
match => [ "timestamp" , "yyyy-MM-dd HH:mm:ss,SSS", "yyyy-MM-dd HH:mm:ss aa" , "yyyy-MM-dd HH:mm:ss.SSS" , "ISO8601" ]
}
json {
source => "jsonstring"
target => "doc"
}
mutate {
add_field => {
"requestUrl" => "%{[doc][requestUrl]}"
"response" => "%{[doc][response]}"
}
}
}
And this is the output:
Really need help here!!!
Thanks
Sharon.