Logstash kv filter questions

Elastic Stack Logstash
1

I am trying to parse the log but right now all the messages has been parsed into one field and it looks like this

message:time=2017-05-17T11:01:05.810417-04:00 e[32mseverity=INFO e[0m pid=76561 method=GET path=/studies/408934/report format=xlsx controller=ReportsController action=show status=200 duration=2653.09 view=2258.61 db=237.51 time=2017-05-17 11:01:03 -0400 ip=127.0.0.1 host=dev.central.miovision.com user=ywang@miovision.com params={"download_token"=>"1495033261", "report"=>{"format"=>"xlsx", "bin_size"=>"900", "legs_and_movements"=>"processed", "approach_order"=>"n_ne_e_se_s_sw_w_nw", "movement_order"=>"rtlu", "include_raw_data"=>"false", "pces_enabled"=>"false"}, "study_id"=>"408934"}

However, I am trying to get the field "download_token"=>"1495033261" from params. Is there a way to do this?

My current filter is as follows

filter {
  kv { 
    trimkey => "<>\[\],`\."
    remove_field => ["\\%{some_field}", "{%{some_field}"]
    include_brackets => false
  }
}

Thanks so much

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.