How to use grok filter on JSON field

sachiiit · June 23, 2017, 6:31am

I have an http input plugin in my logstash configuration with codec as json as

http {
                host => "0.0.0.0"
                port => "8080"
                user => "username"
                password => "password"
                codec => json
        }

So the message in my filter section is

 {   
        "@timestamp" => 2017-06-23T06:16:05.000Z,
          "@version" => "1",
             "event" => {
               "logLevel" => "INFO",
            "description" => "sachchit.bansal@xyz.com \"Coupon\" \"Chrome\" \"Linux\" \"182.72.92.14, 172.20.14.45, 172.20.12.14\" \"182.72.92.14\" \"/user/dashboard\" \"Coupon - Dashboard\" _14981985629789475123422 \"URLChange\" \"\"",
              "className" => "internalUserTrackLog",
              "eventType" => "USER_TRACKING_INFO_EVENT"
        }
    }

I want to use grok filter on the description field of the message. I don't want any other field. What I was doing is

 grok {
                         match => [ "[event][description]", "%{COUPON_DATE:logdate} %{IPORHOST:machineIp} %{EMAILADDRESS:user} %{QS:account} %{QS:browser} %{QS:os} %{QS:forwardList} %{QS:ipAddress} %{QS:pageURL} %{QS:pageTitle} %{WORD:tabId} %{QS:eventType} %{GREEDYDATA:customKVP}"]
                        patterns_dir => "/etc/logstash/patterns"
                }

But I am getting _grokparsefailure.

magnusbaeck · June 26, 2017, 5:34am

Since the the field is a space-separated list of strings I suggest you use the csv filter instead of grok.

system · July 24, 2017, 5:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.