Logstash filter for records of nested json messages from eventhub

Sivaramakrishhna_Amb · September 22, 2022, 9:34am

Input message looks like below

{
"records": [
{
"level": "Informational",
"properties": {
"Keywords": 0,
"ProviderName": "Core.LogRecord",
"Message": "2022-09-08 08:17:02,935 [23] INFO {"Message":"9/8/2022 8:17:02 AM - StarhubAuthTokenFunc - Identifier => 0 CanRefreshToken = False","Exception":null,"Environment":"NANANA","Server":"XXXXXX","ContextType":"Message","CorrelationId":null,"ApplicationName":"Microsoft.Azure.WebJobs.Script.WebHost","ApplicationVersion":"2.0.0.0","Data":""}"
},
"time": "2022-09-08T08:17:02.9358854+00:00"
}
]
}

Output:
all tags should be able to see in kibana as key and associated value

Can I get any help in this regard .

leandrojmp · September 22, 2022, 11:51am

What are you trying to do? What is not working? And what is the expected result?

You need to provide more information.

Sivaramakrishhna_Amb · September 22, 2022, 2:50pm

Thanks Leandro for response,
logstash filter I'm using is as below

filter{
json {

source => "message"
remove_field => ["message"]

}

split {
field => "records"
}
ruby {
code => '
records_size = event.get("[records]").size
records_size.times do |index|
event.set("[records][#{index}][properties][Message]", event.get("[records][#{index}][Message]"))

  end
'

}
date {
match => [ "time", "ISO8601" ]
}
mutate {
add_field => { "feed_site" => "netherlands" }
add_field => { "feed_name" => "teleena" }
add_field => { "feed_type" => "logs" }
add_field => { "feed_doc" => "afandsf-eventhub" }
}
}

Output is like this but requirement is it should show all the key-values including inside the Message
Please suggest filter for it

system · October 20, 2022, 2:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.