I want to further split messages into json and message after splitting them with grok

I want to further split messages into json and message after splitting them with grok.

I am using grok to split messages.
I'm getting a log in json format in a field, and I found a case where the field contains both json and message.
How can I get only the json part for the case that contains both json and message?

target log:
... snip ... {"mode":0, ... snip ... } Log does not exist. ... snip ...

my grok:

grok{
	"match" => { "message" => " ... snip ... %{GREEDYDATA:MY_JSON} ... snip ..." }
}

result:
MY_JSON : {"mode":0, ... snip ... } Log does not exist.

expect:
MY_JSON : {"mode":0, ... snip ... }

Hi,

You can also use regular expressions within grok so for your example you could use the following grok pattern: ... snip ... (?<MY_JSON>\{.*\}) %{GREEDYDATA:message} ... snip ...

This produces the following result:

{
  "message": "Log does not exist.",
  "MY_JSON": "{\"mode\":0, ... snip ... }"
}

Best regards
Wolfram

Thank you for your prompt reply.
Your advice is spot on.

Please tell me one more thing.
In the previous messages, the message is included after the json, but in some cases, the message is not included.
How can I deal with the case where the message is not included?

target:

case1:
... snip ... {"mode":0, ... snip ... } Log does not exist. ... snip ...

case2:
... snip ... {"mode":0, ... snip ... } ... snip ...

expect:

case1:

MY_JSON : {"mode":0, ... snip ... }
message : Log does not exist.

case2:

MY_JSON : {"mode":0, ... snip ... }

This is not a big problem: ... snip ... (?<MY_JSON>\{.*\})( %{GREEDYDATA:message})? ... snip ...

The ()? makes the content optional so this will work for both cases.

Very nice!

()? is quite a help to me.
Thanks to you, I won't have to write any extra if{} else if ... {}.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.