Hey Guys,
New to Logstash, and I tried to read the documentation as much as possible but still confused..
Can anyone help me grok 'sessionId' and 'user' out of this message? Trying to get the values into new fields.
I know its JSON data, but we are treating it as string for now.
{"data":{"type":"external features","event":"App started"},"House":"44 King St","sessionId":"43-22-33","timestamp":"2019-07-04T23:58:40.405Z","type":"externalFeature","user":"155"}
Thank you!
I would definitely use a json filter rather than grok, but if you insist...
grok {
match => { "message" => [ '"user":"%{NUMBER:user}"', '"sessionId":"(?<sessiondId>[^"]+)"' ] }
break_on_match => false
}Thanks Badger,
works well. The reason why I was hesitant to go with a JSON filter, is because there's characters in front of the JSON that were causing parsing errors, and I wasn't quite sure how to trim them.
You might be able to do it using mutate+gsub. For example if the additional characters never contain { then you could use
mutate { gsub => [ "message", '^[^{]+{\s*"', '{"' ] }
That allows for optional whitespace between the { and the first "
Awesome , yeah that should work too! thanks again
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.