Logstash filter to parse json --> json deserialized string

akustic · January 8, 2018, 3:08am

I have some log files I want to parse and they are in the following format.

{"log":"{"@timestamp":"2018-01-08T02:11:35.651+00:00","@version":1,"message":"\u001B[36mFinished \u001B[0m:get / for 139.162.106.181 in (1 ms) Status: \u001B[39m200\u001B[0m","logger_name":"ring.logger.tools-logging","thread_name":"worker-1","level":"INFO","level_value":20000}\n","stream":"stdout","time":"2018-01-08T02:11:35.651496485Z"}

It is json, but the inner block is a string of json, how would I parse this?

What I have so far.

input {
file {
path => ["/var/log/containers/*.log"]
}
}

filter {
grok {
match => { "path" => "/var/log/containers/%{NOTSPACE:service}%{NOTSPACE:namespace}%{NOTSPACE:pod}*.log" }
}
json {
source => "message"
}
}

output {
elasticsearch {
hosts => ["https://elasticsearch.bleh.com:9200"]
ssl => true
index => "logz-%{namespace}-%{+YYYY.MM.dd}"
}
}

magnusbaeck · January 8, 2018, 8:18am

json {
source => "message"
}

The JSON string appears to be in the log field, not message.

system · February 5, 2018, 8:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.