Hi All,
Im trying to index the camel logs by using grok pattern and json filter in logstash and then push the same to ES.
Below is the sample log snippet that I'm trying to parse.
07:32:49.805 [Camel (MyCamel) thread #3 - seda://fetchSFDCRetailLogs] INFO loggerRoute - {"timestamp":"17-2020-08 07-32-49","processName":"EmailValidation","serviceName":"SFDCRETAIL_FE_ADAPTER","targetSystem":"CREDITVIDYA_BE_ADAPTER","messageType":"SourceRequest","username":"SFDCRetail","conversationId":"123345678","transactionId":"ID-sfdcretailfrontendadapter-263-8wsrv-1597305746529-0-4876","headerDetails":{"authorization":"Basic ODY5Y2FjZDk6c2ZkY3JldGFpbHVhdA==","conversationId":"123345678","sourceName":"SFDCRetail","recipient":"","otpRefNo":""},"payload":{
"firstName": "Jigar",
"middleName": "Nareshbhai",
"lastName": "Shah",
"pfNumber": "",
"designation": "",
"companyName": "UNION BANK OF INDIA",
"city": "Ahmedabad",
"uniqueId": "",
"officeStateCode": "",
"officeAddressLine1": "",
"email": "THusena.prj@tatacapital.com",
"clientReference": {
"transactionId": "",
"applicantType": "1",
"losId": "6059185",
"applicantId": "CUST11056089",
"loanType": "Personal Loan",
"leadId": "",
"webtopNumber": "272PZ0001137",
"sourceSystem": "sfdc_retail"
},
"officeAddressLine3": "",
"income": "34235",
"officeAddressLine2": "",
"imeiNo": "",
"iPAddress": "",
"mobileNumber": ""
},"status":""}
Below is the logstash configuration file configured for the same.
input{
beats{
port => 5044
}
}
filter{
if [kubernetes][namespace] == "dev"{
grok{
match => ["message", "%{TIME:timestamp:date} %{GREEDYDATA:Thread} %{WORD:LoggingLevel} %{WORD:RouteName} - (?<logmessage>(.|\r|\n)*)"]
}
json{
source => "logmessage"
target => "doc"
}
if "_grokparsefailure" in [tags]{
drop {}
}
}
}
output{
if [kubernetes][namespace] == "dev"{
elasticsearch{
hosts => ["http://ipaddress:port"]
index => "esblogs-%{+YYYY.MM.dd}"
user => "elastic"
password => "password"
}
}
}
I'm able to parse the logs using the grok pattern and json filter using the logstash conf file. But this creates all the fields that are part of the above json request.
What I would like to achieve is the json filter should parse logs only for the depth of 1. It should not create fields that are part of "payload" tag in json request.
Can some one please guide me on how to achieve the same.
Thanks and Regards,
Rakesh Chhabria