My logstash.conf is as follows, it is used to read data from events.txt and use ruby code plugin to add tag to non json event.
input {
file {
path => ["/home/events.txt"]
start_position => "beginning"
sincedb_path=> "/dev/null"
}
}
filter {
ruby {
code => "
begin
parsed = LogStash::Json.load(source)
rescue => e
event.tag('_jsoncheckfailure')
# event.cancel
end
"
}
json {
source => "message"
}
}
output {
stdout { codec => rubydebug { metadata => true } }
}
events.txt is as follows
{"id":1,"something":"text1"}
{"id":23,"something":"text1"}
fafgag
and the result log is as follows
{
"@timestamp" => 2023-08-16T08:48:42.443091400Z,
"log" => {
"file" => {
"path" => "/home/events.txt"
}
},
"@metadata" => {
"host" => "3097239bf923",
"path" => "/home/events.txt"
},
"host" => {
"name" => "3097239bf923"
},
"@version" => "1",
"id" => 23,
"event" => {
"original" => "{\"id\":23,\"something\":\"text1\"}"
},
"message" => "{\"id\":23,\"something\":\"text1\"}",
"something" => "text1",
"tags" => [
[0] "_jsoncheckfailure"
]
}
{
"@timestamp" => 2023-08-16T08:48:42.443449300Z,
"log" => {
"file" => {
"path" => "/home/events.txt"
}
},
"@metadata" => {
"host" => "3097239bf923",
"path" => "/home/events.txt"
},
"host" => {
"name" => "3097239bf923"
},
"@version" => "1",
"event" => {
"original" => "fafgag"
},
"message" => "fafgag",
"tags" => [
[0] "_jsoncheckfailure",
[1] "_jsonparsefailure"
]
}
{
"@timestamp" => 2023-08-16T08:48:42.438113200Z,
"log" => {
"file" => {
"path" => "/home/events.txt"
}
},
"@metadata" => {
"host" => "3097239bf923",
"path" => "/home/events.txt"
},
"host" => {
"name" => "3097239bf923"
},
"@version" => "1",
"id" => 1,
"event" => {
"original" => "{\"id\":1,\"something\":\"text1\"}"
},
"message" => "{\"id\":1,\"something\":\"text1\"}",
"something" => "text1",
"tags" => [
[0] "_jsoncheckfailure"
]
}
It seems the LogStash::Json.load(source) does not work, but I check the code with json plugin, the json plugin also uses the code to parse json.