How to Parse Json log format by ConfigMap in Logstash

aleksei.saiko · February 14, 2019, 3:10pm

Hi,
The logs that I'm receiving for message, looking like that in Kibana -

message	       	{"time_date": "2019-02-14T14:00:39+00:00","client": "10.xxx.xxx.xxx", "host": "xxx.com", "scheme": "https", "request_method": "GET", "request_uri": "/static/img/logo_new.png", "request_id": "xxxxxxxxxxxxxx", "status": 304, "upstream_addr": "xxx.xx.xx.xx:80", "upstream_status": 304, "request_time": 0.002, "upstream_response_time": 0.000, "upstream_connect_time": 0.000, "upstream_header_time": 0.000}

My Logstash ConfigFile -

input {
        beats {
            port => 50XX
        }
    }
    filter {
        if [kubernetes][container][name] == "nginx" {
            grok {
                match => {
                    "message" => "%{IP:remote_ip} - \[%{HTTPDATE:[response][time]}\] \"%{DATA:url}\" %{NUMBER:[response][code]} %{NUMBER:[response][bytes]} %{QS:user_agent}"
                }
                remove_field => "message"
            }
            geoip {
                source => "remote_ip"
                target => "[geoip]"
            }
        }

        date {
            match => ["time", "ISO8601"]
            remove_field => ["time"]
        }
        mutate {
            remove_field => ["source", "host", "[beat][name]", "[beat][version]"]
        }
    }

    output {
            elasticsearch {
                hosts => ["es-xx-01.xxxx.pro:9200", "es-xx-02.xxxx.pro:9200"]
                index => "apps-qa-%{[kubernetes][namespace]}-deployment-%{[kubernetes][pod][name]}-%{[kubernetes][labels][app]}-%{[kubernetes][container][name]}-%{+YYYY.MM.dd}"

        }
    }

How can I config the Logstash the right way, to geet the Message log parsed?

Thanks,

Aleksei

Badger · February 14, 2019, 3:19pm

Use a json filter

json { source => "message" }

aleksei.saiko · February 17, 2019, 10:34am

Does it has to be inside the grok, or no inside the grok? Both ways, it didn't work.

pjanzen · February 17, 2019, 11:24am

This is an basic example of a filter that should produce output. Although it is depending on the if statement, if that matches then the below config should work..

input {
        beats {
            port => 50XX
        }
    }
    filter {
        if [kubernetes][container][name] == "nginx" {
            json {
                source => "message"
           }
       }
    }

    output {
            elasticsearch {
                hosts => ["es-xx-01.xxxx.pro:9200", "es-xx-02.xxxx.pro:9200"]
                index => "apps-qa-%{[kubernetes][namespace]}-deployment-%{[kubernetes][pod][name]}-%{[kubernetes][labels][app]}-%{[kubernetes][container][name]}-%{+YYYY.MM.dd}"

        }
    }

aleksei.saiko · February 17, 2019, 2:15pm

Thanks, worked

system · March 17, 2019, 2:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need help how to parse such log from Kubernetes nginx pod Logstash	4	962	June 26, 2017
Parse logs Logstash	12	3317	July 6, 2017
Can someone please help me with nginx logstash filter Logstash	11	3352	September 30, 2017
Send json message only from a log file to elastic seach Logstash	7	902	November 13, 2017
Logstash parse docker container log Logstash	2	1691	March 18, 2019

How to Parse Json log format by ConfigMap in Logstash

Related topics