Parse JSON input into fields

exceltior · February 16, 2018, 7:07pm

Hi,

I have been trying to turn a JSON blob keys, which I receive from input into data fields but I have been unsuccessful for some hours.

JSON Blob fed to input

{
  "timestamp": "[16/Feb/2018:19:19:03 +0000]",
  "@version": "1",
  "clientip": "127.0.0.1",
  "url": "/test",
  "code": "200",
  "method": "GET",
  "size": "12",
  "bytes_rcvd": "135",
  "bytes_sent": "395",
  "country": "test",
  "domain": "test.com",
  "customer": "john_beast",
  "user": "beast",
  "cache": "HIT",
  "ttfb": "0.002457",
  "referer": "-",
  "user-agent": "curl/7.47.0",
  "x-forwarded-for": "x.x.x.x",
  "error": "-"
}

Logstash 1

Filter

    filter {
        json {
            source => "message"
        }
        mutate {
            remove_field => [ "message", "path", "timestamp"]
        }

        date {
            match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
        }
    }

Output plugin

  tcp {
        id => "es-output"
        host => "x.x.x.x"
        port => 80
        mode => "client"
        codec=> "json_lines"
 }

Logstash 2

input {
  tcp {
    mode => "server"
    port => 31311
  }
   
}
output {
    elasticsearch {
        hosts => ["http:/x.x.x.x1:9200"]
    }
}

ES Output

 {
   "_index": "logstash-2018.02.16",
   "_type": "doc",
   "_id": "wQcAoGEBkMC_ERzMJgWb",
   "_version": 1,
   "_score": null,
   "_source": {
     "message": "{\"country\":\"test\",\"referer\":\"NULL\",\"code\":\"200\",\"user\":\"beast\",\"ttfb\":\"0.002468\",\"error\":\"NULL\",\"clientip\":\"127.0.0.1\",\"@version\":\"1\",\"host\":\"test-server\",\"cache\":\"hit\",\"method\":\"GET\",\"x-forwarded-for\":\"x.x.x.x\",\"bytes_sent\":\"397\",\"url\":\"/test\",\"@timestamp\":\"2018-02-16T19:03:39.820Z\",\"bytes_rcvd\":\"135\",\"size\":\"12\",\"domain\":\"test.com\",\"customer\":\"john_beast\",\"user-agent\":\"curl/7.47.0\"}",
     "@version": "1",
     "host": "gcloud-123df2tr43g34g3",
     "port": 1264,
     "@timestamp": "2018-02-16T19:03:39.829Z"
   },
   "fields": {
     "@timestamp": [
       "2018-02-16T19:03:39.829Z"
     ]
   },
   "sort": [
    1518807819829
   ]
 }

Could you help me turn each message key into field data? I have tried many solutions from forum but no success yet.

Thanks very much.

Kind regards,
John

magnusbaeck · February 16, 2018, 8:27pm

What's on the other end of the tcp output? In other words, what is Logstash sending to?

exceltior · February 17, 2018, 11:34am

I have two logstash(i edited post with other logstash config), the first one parses that configuration and uses output tcp module to send it to other logstash which is in server mode, and only then, it's sent to Elasticsearch and watched in Kibana.

Architecture:

Logstash 1(parses JSON, filters and tcps output) -> Logstash 2(tcp input and outputs ES) -> Elasticsearch -> Kibana

magnusbaeck · February 19, 2018, 7:02am

Make sure the codec of your tcp input matches the one of your tcp output.

exceltior · February 19, 2018, 11:14am

Thanks very much, that worked

system · March 19, 2018, 11:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.