Parse log line into JSON even when some tags from log can miss

Vinitc · May 28, 2018, 2:14pm

Hi,

My log line looks like below. In my log it is possible that few tags could miss (example: CITY or ZIPCODE or any other tag may not always be present). I want to parse this log and show output as JSON.

Log Line:
20180524T104101.550 GMT, ID=A-124, FIRST_NAME=ABC, LAST_NAME=XYZ, ADDRESS1=123 STREET, CITY=NEW YORK, STATE=NEW YORK ZIPCODE=40001

I tried giving regex patterns but they work only when all tags are present if any of the random tags are not present then I get _grokparsefailure

Can you please help me know if it is possible to parse log into JSON even when some tags can miss.

Thank you!

magnusbaeck · May 28, 2018, 4:52pm

Use a grok filter to extract the timestamp into one field and the rest of the string into another field. Then feed the latter field to a kv filter.

Vinitc · May 28, 2018, 6:01pm

Thanks. Let me try above suggestion.

Vinitc · May 29, 2018, 2:44am

It worked. Thank you very much. I want to remove default fields like host, message, @timestamp, @version, etc. Is there a way to do it?

magnusbaeck · May 29, 2018, 5:55am

You can't remove @timestamp but all other fields can be removed with a remove_field option in any existing filter or in a mutate filter of its own.

system · June 26, 2018, 5:55am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.