Json filter with a problem

Hi, i´m new at this and i haven't been able to separate a json response from an api from the word "Ok" at the beginning. Please help. Below the response.

OK:
[ { "EPOLeafNode.LastUpdate" : null, "EPOLeafNode.NodeName" : "xx.xx.xx.xx", "EPOComputerProperties.IPV6" : null, "EPOComputerProperties.IsPortable" : -1, "EPOComputerProperties.OSVersion" : "x", "EPOComputerProperties.UserName" : "z" }]

You will need to remove those leading characters before you decode the JSON.

Don't use the json codec, use the json filter instead but add the mutate filter with the gsub operation before the json filter.

Something like this:

input {
  generator {
    message => 'OK:
[ { "EPOLeafNode.LastUpdate" : null, "EPOLeafNode.NodeName" : "xx.xx.xx.xx", "EPOComputerProperties.IPV6" : null, "EPOComputerProperties.IsPortable" : -1, "EPOComputerProperties.OSVersion" : "x", "EPOComputerProperties.UserName" : "z" }]'
    count => 1
  }
}

filter {
  mutate {
    gsub => ["[message]", "^OK:\n\[ (?<body>.+)]$", '\k<body>']
  }
  json {
    source => "[message]"
  }
}

output {
  stdout {
    codec => rubydebug {metadata => true}
  }
}

Gives:

{
    "EPOComputerProperties.IsPortable" => -1,
                            "sequence" => 0,
                          "@timestamp" => 2018-04-17T16:48:39.944Z,
                "EPOLeafNode.NodeName" => "xx.xx.xx.xx",
          "EPOComputerProperties.IPV6" => nil,
                            "@version" => "1",
                                "host" => "Elastics-MacBook-Pro.local",
      "EPOComputerProperties.UserName" => "z",
                             "message" => "{ \"EPOLeafNode.LastUpdate\" : null, \"EPOLeafNode.NodeName\" : \"xx.xx.xx.xx\", \"EPOComputerProperties.IPV6\" : null, \"EPOComputerProperties.IsPortable\" : -1, \"EPOComputerProperties.OSVersion\" : \"x\", \"EPOComputerProperties.UserName\" : \"z\" }",
              "EPOLeafNode.LastUpdate" => nil,
     "EPOComputerProperties.OSVersion" => "x"
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.