JSON parse failure

Shyam_Burla · February 4, 2018, 6:21pm

I trying to parse log message which is below..
{
"records":
[

	{
		 "ActivityId": "XXX",
		 "EventName": "XXX",
		 "resourceId": "XXXX",
		 "SubscriptionId": "XXXXX",
		 "EventTimeString": "XXXXX",
		 "EventProperties": "{\"SubscriptionId\":\"XXX\",\"Namespace\":\"ehnamespace\",\"Via\":\"XXX\",\"TrackingId\":\"XX\"}",
		 "Status": "XXX",
		 "Caller": "XXXX",
		 "category": "XXXX"
	}

I'm able to parse all the other fields but for EventProperties I 'm not able to split the fields.

This is my logstash syntax
split
{
field => "records"
add_field => {
"EventTime" => "%{[records][EventTimeString]}"
"EventName" => "%{[records][EventName]}"
"ActivityId" => "%{[records][ActivityId]}"
"SubscriptionId" => "%{[records][SubscriptionId]}"
"Namespace" => "%{[records][EventProperties][Namespace]}"
"Status" => "%{[records][Status]}"
"Caller" => "%{[records][Caller]}"
"category" => "%{[records][category]}"
}

     # remove_field => ["records"]
  }

I'm looking to parse the namespace field properly.

magnusbaeck · February 4, 2018, 10:10pm

The contents of EventProperties is a JSON string. Use a json filter to parse it.

Shyam_Burla · February 5, 2018, 10:56pm

Thanks, It Works

system · March 5, 2018, 10:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.