Matching a nested field in a JSON formatted log

(Martin) #1

I'm experimenting with logging with the Elastic stack. I have forced something to write messages to a logfile, which will be read by FileBeat and send to Logstash. I've managed to get my first grok filter working. However, now I wanted to pattern match something else than the message field, I've run into a problem. The following is not working:

filter {
grok {
match => { "log.file.path" => "/(?<test>[^/]+)$" }
break_on_match => false
}
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}\t% {LOGLEVEL:log.level}\s(?\w+/\w*.\w+:\d+)\t%{GREEDYDATA:innerMessage}" }
}
}

I've tested the regex in the Grok debugger, which seemed to indicate it was working. For now, my best guess is that the pattern matching fails because it's a nested field in the json document delivered by FileBeat. I've also tried to match simply on "path", but that didn't seem to work either.

This is (part of) the json document I'm trying to match:

"log": {
"file": {
"path": "/var/log/ELKlogs/winlogbeat"
},
"offset": 121782

(Charlie) #2

Is this a json field you are after?
If yes you can access the field like:
[log][file][path]

(Martin) #3

Yeah, that seems to work!
Thanks! :slight_smile: