How to multi grok json with pipe

Hi

How to grok this in logstash:
{"data":{"context":{"code":39921,"father_pid":"20190204171709_eIqUa","origin":"tWarn_1","context":"Default","project":"DATA_RECOVERY","pid":"8ccIjj","job":"FR_SIUV1_Load_MyJob","priority":3,"type":"tWarn","message":"2019-02-06 17:19:20|ST1_GINKGONE_ZON|begin||\nProcessing archive/data/runSIUV1_Load_MyJob/data/03-in/In/OGEO_ZON.zip, please wait...\n\n\nProcess finished\nPrepare json schema for id: ST1_GINKGONE_ZON.tJSONDocOpen_1\nPrepare json schema for id: ST1_GINKGONE_ZON.tJSONDocOpen_2\nPrepare json schema for id: ST2_GINKGONE_ZON.tJSONDocOpen_2\n2019-02-06 17:19:23|ST1_GINKGONE_ZON|end|success|3215","root_pid":"20190204171709_eIqUa","moment":"2019-02-06 17:19:23"},"content":{"message":"Information tWarn_1"}},"header":{"logType":"technical","level":"info","sourceHost":"","logVersion":"","contentType":"application/json","version":"0.1","timestamp":"2019-02-06T17:19:23.236+0100"}}

A simple json filter gave me this:
2019-02-04 17:57:48|JOB_NAME_HAB|begin||
Processing archive/data/runSIUV1_Load_MyJob/data/03-in/In/QLHB_HAB.zip, please wait...

Process finished
Prepare json schema for id: JOB_NAME_HAB.tJSONDocOpen_2
Prepare json schema for id: JOB_NAME_HAB.tJSONDocOpen_3
Prepare json schema for id: ST2_GINKGO_HAB.tJSONDocOpen_1
2019-02-04 17:58:06|JOB_NAME_HAB|end|success|17870

I want to parse other piped fields like status ==> success and duration ==> 17870

Thanks
B.B

I would use grok. You need to identify a pattern that you can extract from the message. There are hundreds of examples in this forum.

grok { match => { "[data][context][message]" => [ "\|end\|(?<status>[^|]+)\|(?<duration>[^|]+)$" ] } }

Thank you, it's OK.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.