Message in json but not full

Arnodl · August 6, 2019, 12:53pm

Hello, I have problem with parsing the message:
fun.host.pl: /storage/test / applications / central / logger_data_20190801: prm:
{
"@timestamp": "2019-08-01T10:24:07.32",
"appid": "prm",
"tags": ["SUCC:AUTHEN"],
"client": {
"ip": "127.0.0.1"
},
"host": {
"hostname": "fun.host.pl",
"type": "test"
},
"service": {
"name": "prm",
"session_id": "12ab3",
"type": "access",
"subname": "login"
},
"user": {
"id": "userek"
}
}

this is json but by the beginning of the message: "fun.host.pl: /storage/test / applications / central / logger_data_20190801: prm:" my message is not being parsed and it looks like this:
{
"message": "iastest16.test.sun.orange.sk:/storage/test/applications/central/logger_data_20190801:prm:{ "@timestamp": "2019-08-01T09:10:52.47", "appid": "prm", "tags": [ "SUCC:AUTHEN" ], "client": { "ip": "10.8.253.166" }, "host": { "hostname": "iastest16.test.sun.orange.sk", "type": "test" }, "service": { "name": "prm", "session_id": "201908010910524740a2223e-79bf-411c-8912-6664a3118493", "type": "access", "subname": "login" }, "user": { "id": "userek" } }\n\n",
"@version": "1",
"@timestamp": "2019-08-01T07:10:53.369Z"
}

how to remove the part of which is not json?

Badger · August 6, 2019, 1:40pm

mutate { gsub => [ "message", "\A[^{]+", "" ] }

Arnodl · August 7, 2019, 12:51pm

it doesn't work on the website: https://regexr.com/

Badger · August 7, 2019, 1:39pm

OK, but it works in logstash.

system · September 4, 2019, 1:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.