Parse json message

Roque_Moyano · June 19, 2018, 6:06pm

Hi , I have a json message log like:

{ 'date': "xx" , 'env': "xx" }

I want to create those fields in elasticsearch just if those fields are present and anything else , my filter is:

filter {
json { source =>"message"
   target => "log"   }

}

output {
elasticsearch {
hosts => ["x.x.x.x:9200"]
manage_template => false
index => "docker-%{+YYYY.MM.dd}"
}
}

that works but i want to drop the messages that don't satisfy the condition that have only 2 fields in the json log , in this case "date" and "env" , how can I do that?

thanks in advance.

Badger · June 19, 2018, 6:45pm

This will drop the event if it finds a field other than date and env in log.

    ruby {
        code => "
            event.get('log').each { |k, v|
                    if k != 'date' and k != 'env'
                        event.cancel()
                    end
            }
        "
    }

If I recall correctly the json filter does not like single quotes, so you may need to

mutate { gsub => [ "message", "'", '"' ] }

system · July 17, 2018, 6:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.