Parse log line into JSON even when some tags from log can miss

Vinitc · May 28, 2018, 2:14pm

Hi,

My log line looks like below. In my log it is possible that few tags could miss (example: CITY or ZIPCODE or any other tag may not always be present). I want to parse this log and show output as JSON.

Log Line:
20180524T104101.550 GMT, ID=A-124, FIRST_NAME=ABC, LAST_NAME=XYZ, ADDRESS1=123 STREET, CITY=NEW YORK, STATE=NEW YORK ZIPCODE=40001

I tried giving regex patterns but they work only when all tags are present if any of the random tags are not present then I get _grokparsefailure

Can you please help me know if it is possible to parse log into JSON even when some tags can miss.

Thank you!

magnusbaeck · May 28, 2018, 4:52pm

Use a grok filter to extract the timestamp into one field and the rest of the string into another field. Then feed the latter field to a kv filter.

Vinitc · May 28, 2018, 6:01pm

Thanks. Let me try above suggestion.

Vinitc · May 29, 2018, 2:44am

It worked. Thank you very much. I want to remove default fields like host, message, @timestamp, @version, etc. Is there a way to do it?

magnusbaeck · May 29, 2018, 5:55am

You can't remove @timestamp but all other fields can be removed with a remove_field option in any existing filter or in a mutate filter of its own.

Topic		Replies	Views
Logstash Grok Filter _tags vs _fields Logstash	5	2279	March 17, 2017
Mixed log with json field Logstash	9	3501	July 6, 2017
_jsonparsefailure with grok in Logstash Logstash	3	507	April 9, 2020
Parse specific field when JSON filter failed Logstash	2	263	June 21, 2022
Help with logstash config Logstash	4	395	October 16, 2018

Parse log line into JSON even when some tags from log can miss

Related topics