Logstash json filter parsed fields cannot be read within logstash

gringo · February 10, 2017, 5:07am

I am parsing a json file with "codec => json" in the input and " json { source=>message }" in the filter.

I have also tried alternating the two.

The parsed fields cannot be read by logstash using "if [comment]". This will not work despite the being about to see the field with values with "stdout { codec => rubydebug }" as output

magnusbaeck · February 10, 2017, 7:39am

Please show us an example event (from your stdout output) and your configuration.

gringo · February 10, 2017, 7:55am

Below is a section of the output

            "host" => "ksa-op",
            "type" => "NP-Alerts",
            "rule" => {
         "level" => 10,
       "comment" => "Windows error.......",
         "aadid" => 101010,
    "watereddtimes" => 1,
        "groups" => [
        [0] "redhat"
    ],
       "PCK_DOS" => [
        [0] "1.12.5"
    ]
},

The if statements below cannot be satisfied
if [comment]
if [level]

I need to rename the fields but it seems that it does not even exist

magnusbaeck · February 10, 2017, 8:15am

level and comment are subfields of rule, i.e. you need to refer to them as [rule][level] and [rule][comment].

gringo · February 13, 2017, 5:37am

Thanks for your help! Problem solved.

system · March 13, 2017, 5:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.