I have this json log and i am trying to parse it using ruby filter but i am having hard time as I dont have any knowledge of ruby.
here is my log. Can anyone show me some proper way to parse nested JSON please? Is there some easier way to parse it?
{"id":"ergegr","category":"Account Provisioning","correlationId":"620eee64-3a07-4e49-9914-2ba00f7e8665","result":"failure","resultReason":"We will attempt to retry an operation that previously failed on Group 'Resident Families_Willow Glen'; Error: This object is to be re-synchronized: . We will retry this operation on the next synchronization attempt.","activityDisplayName":"ergegerg","activityDateTime":"2018-08-18T00:56:23.9827818Z","loggedByService":null,"initiatedBy":{"user":null,"app":{"appId":null,"displayName":"dhyergeger","servicePrincipalId":null,"servicePrincipalName":null}},"targetResources":[{"@odata.type":"#microsoft.graph.targetResourceServicePrincipal","id":"d7994216-7ed7-4212-8d35-866cd1e3bfca","displayName":"ServiceNow","appId":null,"modifiedProperties":[]},{"@odata.type":"#microsoft.graph.targetResourceGroup","id":null,"displayName":"rgerg erger gerherh ","groupType":"unknownFutureValue","modifiedProperties":[]}],"additionalDetails":[{"key":"Details","value":"Error was originally encountered at 2018-07-31 10:59:27Z."},{"key":"ErrorCode","value":"Retry"},{"key":"EventName","value":"EntryEscrowProcess"},{"key":"JoiningProperty","value":"ergerge erger gerg eger"},{"key":"SourceAnchor","value":"a8770470-d502-44cd-b97a-4f3648ee3c86"},{"key":"TargetAnchor","value":""}]}
I have tried split filter but it is not able to parse the nested arrays quite well.
here is my config file.
input {
stdin{}
}
filter {
grok {
match => ["message","(?<json_raw>.*)"]
}
ruby { code => '
i = 0
sum = 0
while i < event.get( "targetResources" ).length do
sum += event.get( "targetResources" + i.to_s )
i += 1
end
event.set( "sum", sum )
'
}
}
output {
stdout{codec => rubydebug}
}