Logstash json filter parsed fields cannot be read within logstash

gringo · February 10, 2017, 5:07am

I am parsing a json file with "codec => json" in the input and " json { source=>message }" in the filter.

I have also tried alternating the two.

The parsed fields cannot be read by logstash using "if [comment]". This will not work despite the being about to see the field with values with "stdout { codec => rubydebug }" as output

magnusbaeck · February 10, 2017, 7:39am

Please show us an example event (from your stdout output) and your configuration.

gringo · February 10, 2017, 7:55am

Below is a section of the output

            "host" => "ksa-op",
            "type" => "NP-Alerts",
            "rule" => {
         "level" => 10,
       "comment" => "Windows error.......",
         "aadid" => 101010,
    "watereddtimes" => 1,
        "groups" => [
        [0] "redhat"
    ],
       "PCK_DOS" => [
        [0] "1.12.5"
    ]
},

The if statements below cannot be satisfied
if [comment]
if [level]

I need to rename the fields but it seems that it does not even exist

magnusbaeck · February 10, 2017, 8:15am

level and comment are subfields of rule, i.e. you need to refer to them as [rule][level] and [rule][comment].

gringo · February 13, 2017, 5:37am

Thanks for your help! Problem solved.

system · March 13, 2017, 5:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How do I parse inner fields from json? Logstash	3	544	February 6, 2017
Set root for json codec Logstash	7	1613	July 15, 2019
Json filter question Logstash	3	315	July 6, 2017
Json codec vs json filter in file input Logstash	4	1278	June 7, 2017
Nested Json logs - how to filter correctly Logstash	12	4628	July 6, 2017

Logstash json filter parsed fields cannot be read within logstash

Related topics