How to parse message with random data using logstash filter?

Amit_Agarwal1 · January 24, 2020, 3:30pm

I have received the below message from the producer at Axon Topic with some random ASCII data.
"message" => "\u0000\u0000\u0000\u0002�\u0004C1�\u0001\u0002�\u0003\u0000\u0000\u0000\u0000A�\u0003{"prdctId":"10077","id":"10077","name":"ComPass","owner":{"id":"E040547","name":"Shashi Raghunandan"},"alias":[{"id":"a1Id","name":"a1Name"},{"id":"a2Id","name":"a2Name"}],"cntryAvail":["n/a"]}��[\u0002\u0000\u0002\u0000"

I have tried split filter on open curly braces '{' to take out the outer json data from the message.
mutate {
split => ["message", "{"]
add_field => { "splitmsg" => "%{[message][0]}" }
add_field => { "msg" => "%{[message][1]}" }
}

but then we get the splitted messages from the message field, which seems not a correct way to do it as after that we got the message in below format.
{"prdctId":"10077","id":"10077","name":"ComPass","owner":{"id":"E040547","name":"Shashi Raghunandan"},"alias":[{"id":"a1Id","name":"a1Name"},{"id":"a2Id","name":"a2Name"}],"cntryAvail":["n/a"]}

Now, I'm not able to remove backslashes from the message. Please suggest the filter to be applied in such a way to have the output as json from above message into inline format.
{"prdctId":"10077","id":"10077","name":"ComPass","owner":{"id":"E040547","name":"Shashi Raghunandan"},"alias":[{"id":"a1Id","name":"a1Name"},{"id":"a2Id","name":"a2Name"}],"cntryAvail":["n/a"]}

Badger · January 24, 2020, 5:14pm

You could try something like

mutate { gsub => [ "message", "^[^{]+", "", "message", "}[^}]+$", "" ] }

which would remove everything before the first { and everything after the last }.

Amit_Agarwal1 · January 26, 2020, 7:34pm

After trying above filter, got message as given below.

{
    "_index" : "test-product-logstash-22",
    "_type" : "_doc",
    "_id" : "%{id}",
    "_score" : 1.0,
    "_source" : {
      "message" : "{\"prdctId\":\"10077\",\"id\":\"10077\",\"name\":\"ComPass\",\"status\":\"In Development\",\"family\":\"Strategic Growth\",\"line\":\"Strategic Growth\",\"shortDesc\":\"Enables interoperable digital IDs\",\"longDesc\":\"A platform that enables interoperable digital ID's and other capabilities \",\"owner\":{\"id\":\"E040547\",\"name\":\"Shashi Raghunandan\"},\"program\":{\"id\":\"422\",\"name\":\"Regional Solutions and Bundles\"},\"alias\":[{\"id\":\"a1Id\",\"name\":\"a1Name\"},{\"id\":\"a2Id\",\"name\":\"a2Name\"}],\"regAvail\":[\"ap\",\"lac\",\"mea\"],\"cntryAvail\":[\"Global\"],\"salesCenterUrl\":\"salesCenterUrlsfsfd\",\"isActive\":\"true\"",
      "@version" : "1",
      "@timestamp" : "2020-01-26T19:17:49.977Z"
    }
  }

But, I wanted to get the message in json format as output.
{
"_index" : "test-product-logstash-22",
"_type" : "_doc",
"_id" : "10066",
"_score" : 1.0,
"_source" : {
"id" : "10066",
"prdctId" : "10066",
"name" : "ComPass",
"status" : "In Development",
"family" : "Strategic Growth",
"line" : "Strategic Growth",
"shortDesc" : "providers",
"longDesc" : "population",
"owner" : {
"id" : "E040547",
"name" : "Shashi "
},
"program" : {
"id" : "422",
"name" : "Regional Solutions and Bundles"
},
"alias" : [
{
"id" : "995c5dbd-97ee-46bb-b0d8-3e83a097762b",
"name" : "Community Pass"
}
],
"regAvail" : [
"ap",
"lac",
"mea"
],
"cntryAvail" : [
"n/a"
],
"salesCenterUrl" : "n/a",
"isActive" : "true"
}
}

Please suggest the filter needed to be applied to get the output in json format as shown above.

Badger · January 26, 2020, 9:10pm

Use a json filter.

json { source => "message" }

Amit_Agarwal1 · January 27, 2020, 5:46am

Please have a look at the output received after applying json filter on message.
{
"message" => "{"prdctId":"10077","id":"10077","name":"ComPass","status":"In Development","family":"Strategic Growth","line":"Strategic Growth","shortDesc":"Enables interoperable digital IDs","longDesc":"A platform that enables interoperable digital ID's and other capabilities ","owner":{"id":"E040547","name":"Shashi Raghunandan"},"program":{"id":"422","name":"Regional Solutions and Bundles"},"alias":[{"id":"a1Id","name":"a1Name"},{"id":"a2Id","name":"a2Name"}],"regAvail":["ap","lac","mea"],"cntryAvail":["Global"],"salesCenterUrl":"salesCenterUrlsfsfd","isActive":"true"",
"tags" => [
[0] "_jsonparsefailure"
]
}

Please suggest.

Amit_Agarwal1 · January 27, 2020, 6:45am

Tried the below filter but then missing } at the end which hence not making message structure as json.
mutate { gsub => [ "message", "^[^{]+", "", "message", "}[^}]+$", "" ] }

Badger · January 27, 2020, 2:33pm

Try

mutate { gsub => [ "message", "^[^{]+", "", "message", "[^}]+$", "" ] }

^{ ↩︎

Amit_Agarwal1 · January 30, 2020, 5:59am

Thanks a lot. It's working fine now. After putting json filter, getting the proper structured message in output.

Topic		Replies	Views
Filter message log in logstash Logstash	2	265	May 22, 2023
How to get the nested array and nested json from input message in logstash Logstash	12	2725	February 19, 2020
Parse string escaped JSON inside message Logstash	3	3362	May 22, 2019
Message in json but not full Logstash	4	308	September 4, 2019
Json { source => "message" } not parsing all of it Logstash	21	1979	March 22, 2022

How to parse message with random data using logstash filter?

Related topics