How to parse elastic audit.json log file

ali_ali · July 15, 2023, 11:55am

hi
how to parse elastic audit.json and seperate each field
i used json plugin but got some bad parsing
can you send me a filter to parse it.

PodarcisMuralis · July 15, 2023, 8:56pm

You may use kv (key-value)plugin?

filter {
  kv {
    source => "message"
    field_split => ","
    value_split => "="
  }
}

or maybe dissect plugin?

filter {
  dissect {
    mapping => {
      "message" => "%{[@metadata][timestamp]} %{+[@metadata][timestamp]} %{+[@metadata][timestamp]} %{+[@metadata][timestamp]} %{+[@metadata][timestamp]} %{+[@metadata][timestamp]} %{+[@metadata][timestamp]} %{+[@metadata][timestamp]} %{+[@metadata][timestamp]} %{+[@metadata][timestamp]} %{[@metadata][user]} %{[@metadata][action]} %{[@metadata][index]} %{[@metadata][shard]} %{[@metadata][node]} %{[@metadata][reason]} %{[@metadata][state]}"
    }
    remove_field => ["message"]
  }
}

ali_ali · July 16, 2023, 7:00am

hi murat
i want to remove highlighted fields in the picture

ali_ali · July 16, 2023, 7:02am

this is my filter

Topic		Replies	Views
Parse json "message" into separate fields in Kibana Logstash	3	8395	February 15, 2019
Logstash Filter \|\| Json Message to Split Fields Logstash	3	2123	October 14, 2019
Extract fields from JSON Flie to Elastic using Logstash filters Logstash	6	669	June 29, 2021
Need Help to parse specific Log format Elasticsearch	4	440	October 20, 2018
Elasticsearch analyzing and mapping data Elasticsearch	6	395	August 25, 2020

How to parse elastic audit.json log file

Related topics