Logstash. Get fields by position number

Paul_Letski · June 16, 2015, 9:54am

Background

I have the scheme: logs from my app go through rsyslog to central log server, then to Logstash and Elasticsearch. Logs from app is a pure JSON, but rsyslog adds to log "timestamp", "app name" and "server name" fileds. And log becomes to this:

timestamp app-name server-name [JSON]

Question

How can I remove first three fields with Logstash filters? Can I get fields by position numbers (like in awk) and do something like:

filter {
  somefilter_name {
      remove_field => $1, $2, $3 
  }
}

Or maybe my vision is totally wrong and I must do this in another way?

Thank you!

warkolm · June 17, 2015, 4:11am

Do you want to remove them completely or just from the message part?

You can use mutate to do either.

Paul_Letski · June 17, 2015, 1:42pm

I want to remove them completely.
I got an advice on stackoverflow to use filter like this:

grok {
     pattern => "%{TIMESTAMP_ISO8601:timestamp} %{WORD:app} %{WORD:server} %{GREEDYDATA:message}"
     overwrite => [ "message" ]
}

json {
    source => "message"
}

But now I'm getting error in log about "Trouble parsing json".

magnusbaeck · June 25, 2015, 7:31pm

Well, what does the message field that you're trying to parse as JSON look like?