JSON Array Split

asingh-80 · November 12, 2019, 5:25pm

Hi,

I am new to Logstash....I have the following data

"status": "Request was successful", "nextpagetoken": "eyJsb2dfaWQiOiAiZjgzYmRlZDE0YwMTRmRmMzY5OTQ5NyIsICJkYXRldGltZSI6ICIyMDE5LTExLTEyVDAwOjUyOjE4LjM4ODAwMFoifQ==", "response": {"dataformat": "json", "data": [{"syslogheader": "<110>1 2019-10-04T18:11:09.851000Z api.bitglass.com NILVALUE NILVALUE access", "time": "04 Oct 2019 18:11:09", "user": "Admin AcmeGadgetNet", "email": "admin@acme-gadget.net", "device": "Mac OS X 10.14.6", "application": "Bitglass", "ipaddress": "96.82.93.238", "location": "Sunnyvale||California||CA||US", "activity": "Failure, Login", "action": "", "useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36", "request": "", "transactionid": "8d03a9b271252ef6a15495abb264d627168cb13e [04 Oct 2019 18:11:09]", "emailfrom": "", "emailto": "", "emailsubject": "", "emailcc": "", "emailbcc": "", "emailsenttime": "", "filename": "", "dlppattern": "", "pagetitle": "", "url": "/accounts/login/", "details": "Failed login attempt."}, {"syslogheader": "<110>1 2019-10-07T20:27:36.211000Z api.bitglass.com NILVALUE NILVALUE access", "time": "07 Oct 2019 20:27:36", "user": "Admin AcmeGadgetNet", "email": "admin@acme-gadget.net", "device": "Mac OS X 10.14", "application": "Office 365", "ipaddress": "50.226.196.118", "location": "San Jose||California||CA||US", "activity": "Login", "action": "", "useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0", "request": "", "transactionid": "f7ab624a276622237bd307d7c73731bcb9 [07 Oct 2019 20:27:36]", "emailfrom": "", "emailto": "", "emailsubject": "", "emailcc": "", "emailbcc": "", "emailsenttime": "", "filename": "", "dlppattern": "", "pagetitle": "", "url": "/idp/init/2657/", "details": "Logged in."}], "dataencoding": "utf-8"}}%

I would like to send out syslog in this format

{"syslogheader": "<110>1 2019-10-04T18:11:09.851000Z api.bitglass.com NILVALUE NILVALUE access", "time": "04 Oct 2019 18:11:09", "user": "Admin AcmeGadgetNet", "email": "admin@acme-gadget.net", "device": "Mac OS X 10.14.6", "application": "Bitglass", "ipaddress": "96.82.93.238", "location": "Sunnyvale||California||CA||US", "activity": "Failure, Login", "action": "", "useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36", "request": "", "transactionid": "8d03a9b27125abb264d627168cb13e [04 Oct 2019 18:11:09]", "emailfrom": "", "emailto": "", "emailsubject": "", "emailcc": "", "emailbcc": "", "emailsenttime": "", "filename": "", "dlppattern": "", "pagetitle": "", "url": "/accounts/login/", "details": "Failed login attempt."},

{"syslogheader": "<110>1 2019-10-07T20:27:36.211000Z api.bitglass.com NILVALUE NILVALUE access", "time": "07 Oct 2019 20:27:36", "user": "Admin AcmeGadgetNet", "email": "admin@acme-gadget.net", "device": "Mac OS X 10.14", "application": "Office 365", "ipaddress": "50.226.196.118", "location": "San Jose||California||CA||US", "activity": "Login", "action": "", "useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0", "request": "", "transactionid": "f7ab624a276622237bdd0d7c73731bcb9 [07 Oct 2019 20:27:36]", "emailfrom": "", "emailto": "", "emailsubject": "", "emailcc": "", "emailbcc": "", "emailsenttime": "", "filename": "", "dlppattern": "", "pagetitle": "", "url": "/idp/init/2657/", "details": "Logged in."}

This is my filter

filter {
json{
source => "message"
}
split {
field => "data"
}}

This filter doesn't seem to work

system · December 10, 2019, 5:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.