How to use GROK pattern for JSON Object

Teja · September 26, 2018, 8:45am

Hi Folks,

I want to apply grok for one JSON object[field] and extract values from the field.

Sample Json Message:

{"event.created":"1537941675000","isoTimeFormat":"yyyy-MM-dd'T'HH:mm:ss.SSSZ","event.payload":"dstintf=\"port3\" profiletype=\"applist\" proto=6 service=\"HTTP\" policyid=959 applist=\"Web_AppCtrl_Profile\" action=\"pass\" msg=\"Update: Root.Certificate.URL,\" ","host":"0.0.0.0","event.category":"System","destination.PostNATport":"0", "device.type":"firewall"}

I am already parsing "event.category, host, event.created, destination.PosyNATport" fields using "json" filter plugin in logstash.

But, Now i want to apply "grok pattern" to json object "event.payload" to parse "service & action etc".

I dont know how to form syntax to achieve above use case in logstash.

Is it possible to achieve or is there any other way to accomplish.?

Gratitude,
TJ

guyboertje · September 26, 2018, 8:50am

While doable it is not advised. You should use the json filter - it is designed to do just that. You can remove any fields that you do not want.

Teja · September 26, 2018, 8:57am

I am already using JSON filter in my logstash to parse other fields such as

But now i want to extract service=\"HTTP\" in "event.payload" json object.

magnusbaeck · September 26, 2018, 9:12am

Use a kv filter.

system · October 24, 2018, 9:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.