Parse and extract json fields using logstash

Hi, I have the below log after using the JSON filter. I need to take all the fields out of the JSON field "log". For example: instead of all the fields like log.user or log.allow, I need just user or allow. I need to take all the fields out of the JSON "log".

    "version": 2,
    	"timestamp": "2020-05-17T22:52:18.615Z",
    	"hostname": "fdhgsdsfh.dhfdh.com",
    	"daemon": "cz-dhdh",
    	"log": {
    		"action": "allow",
    		"action_id": "c7bfa620-4bc2-3375-86ec-cf456be80672",
    		"client_port": 4995,
    		"connection_type": "established",
    		"destination_port": 3389,
    		"direction": "up",
    		"ou": "ddf",
    		"user": "ddhd.s",
    		"event_type": "ip_access",
    		"geoip": {
    			"ip": "89.x.xx.x",
    			"time_zone": "Asia/Qatar",
    			"continent_code": "AS",
    			"city_name": "Doha",
    			"country_name": "Qatar",
    			"country_code2": "QA",
    			"country_code3": "QA",
    			"region_code": "DA",
    			"location": {
    				"lon": 51.51,
    				"lat": 25.29
    			},
    			"latitude": 25.25,
    			"longitude": 51.531,
    			"cordinates": [
    				51.51,
    				25.29
    			]
    		},
    		"packet_size": 40,
    		"protocol": "TCP",
    		"rule_name": "AX-Server-RDP-0",
    		"source_ip": "192.168.100.9",
    		"source_port": 50901,
    		"timestamp": "2020-05-17T22:52:18.615Z",
    		"version": 12
    	}

I am using the below config:

    filter {
    json {
    source => "message"
    }
    }

That is answered here.

Thanks for the quick support. It works

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.