How to use grok filter on JSON field

I have an http input plugin in my logstash configuration with codec as json as

http {
                host => ""
                port => "8080"
                user => "username"
                password => "password"
                codec => json

So the message in my filter section is

        "@timestamp" => 2017-06-23T06:16:05.000Z,
          "@version" => "1",
             "event" => {
               "logLevel" => "INFO",
            "description" => " \"Coupon\" \"Chrome\" \"Linux\" \",,\" \"\" \"/user/dashboard\" \"Coupon - Dashboard\" _14981985629789475123422 \"URLChange\" \"\"",
              "className" => "internalUserTrackLog",
              "eventType" => "USER_TRACKING_INFO_EVENT"

I want to use grok filter on the description field of the message. I don't want any other field. What I was doing is

 grok {
                         match => [ "[event][description]", "%{COUPON_DATE:logdate} %{IPORHOST:machineIp} %{EMAILADDRESS:user} %{QS:account} %{QS:browser} %{QS:os} %{QS:forwardList} %{QS:ipAddress} %{QS:pageURL} %{QS:pageTitle} %{WORD:tabId} %{QS:eventType} %{GREEDYDATA:customKVP}"]
                        patterns_dir => "/etc/logstash/patterns"

But I am getting _grokparsefailure.

1 Like

Since the the field is a space-separated list of strings I suggest you use the csv filter instead of grok.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.