Insert json string (logtastsh ) - SOLVED

rocavalcante · June 10, 2017, 7:34pm

Hello, I would like to add a json string in the logstash output, and in the future save the output "call output_db" in a postgreSQL database, however, I still can not get the initial step of inserting the whole string into the logstash output.

logstash.conf:
input {
beats {
port => "5043"
type => "json"
}

}

filter {

grok { 
     match => [ "message", "%{GREEDYDATA}"]
}

  json{
      source => "message"
      add_field => { "output"=> {"from":"workstationSMD","event":{"product":{},"moment":"2015121418011800","status":{},"data":"%{message}"}}}

    
  }

}

output {

stdout {
       codec => json_lines

jdbc {

#        connection_string => "jdbc:postgresql://myip/database"
 #       username => "myuser"
  #      password => "mypassword"
   #     statement => [ INSERT INTO logstash_log(log_received)VALUES ('output_db'); ]
        
    #     }
}

}

magnusbaeck · June 11, 2017, 8:23pm

Have a look a the json_encode filter for producing the JSON string. Once that's working, reference it in the jdbc output with the standard %{name-of-field} syntax.

rocavalcante · June 12, 2017, 12:41am

Thanks Magnus!

And on the json string in a single field, is it possible? I already researched a lot using json and mutate filter but I was not successful.
add_field => { "output"=> {"from":"workstationSMD","event":{"product":{},"moment":"2015121418011800","status":{},"data":"%{message}"}}}

magnusbaeck · June 12, 2017, 6:01am

And on the json string in a single field, is it possible?

Sorry, I don't understand.

add_field => { "output"=> {"from":"workstationSMD","event":{"product":{},"moment":"2015121418011800","status":{},"data":"%{message}"}}}

To build a structure like this in Logstash you need to do this:

add_field => {
  "[output][from]" => "workstationSMD"
  "[output][event][moment]" => "2015121418011800"
  "[output][event][data]" => "%{message}"
}

I don't think you can create empty hashes (objects) in this manner. You probably need to use a ruby filter for that.

Once you've done the above you should be able to pass the output field to the json_encode filter.

rocavalcante · June 12, 2017, 12:40pm

Thank you so much! Magnus! I will test

system · July 10, 2017, 12:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.