Parse rabbitmq json log

ansamHox · September 27, 2023, 7:36pm

Hi, got json log message from rabbit as

{"timestamp":"2022-12-21 03:14:59.977922+02:00","level":"error","msg":"Error on AMQP connection <0.32551.1583>: enotconn (socket is not connected)","domain":"rabbitmq.connection","pid":"<0.32551.1583>"

JSONs are not parsed by default, i only got message field in ES, but I would like to extract 3 fields (actually 4)

*time as a timestamp in ISO8601 format, not this default RFC 3339 format
*loglevel as a text or keyword
*pid as a keyword without <> braces
*msg as a "message"

It should look in Kibana like this:

"time": "2022-12-21T02:14:59+01:00"
"level": "error"
"message": "Error on AMQP connection <0.32551.1583>: enotconn (socket is not connected)"
"pid": "0.32551.1583"

Tried to play with grok and json filters without luck converting timestamp from RFC 3339 to ISO8601, any input would be appreciated. Thanks.

leandrojmp · September 27, 2023, 8:30pm

What does your Logstash configuration file looks like?

leandrojmp · September 27, 2023, 8:41pm

If your json log looks like this:

{"timestamp":"2022-12-21 03:14:59.977922+02:00","level":"error","msg":"Error on AMQP connection <0.32551.1583>: enotconn (socket is not connected)","domain":"rabbitmq.connection","pid":"<0.32551.1583>"}

Then this filter will parse it:

filter {
    json {
        source => "message"
        remove_field => ["message"]
    }
    mutate {
        gsub => ["pid","<>",""]
        rename => {
            "msg" => "message"
        }
    }
    date {
        match => ["timestamp","yyyy-MM-dd HH:mm:ss.SSSSSSZZ"]
        target => "time"
        remove_field => ["timestamp"]
    }
}

The gsub will remove the <> from your pid field, and the rename will rename msg into message.

The date filter will parse your date format into ISO8601.

The output would be something like this:

{
    "@timestamp" => 2023-09-27T20:38:17.726537839Z,
      "@version" => "1",
           "pid" => "<0.32551.1583>",
        "domain" => "rabbitmq.connection",
          "time" => 2022-12-21T01:14:59.977Z,
         "level" => "error",
          "host" => "lab",
       "message" => "Error on AMQP connection <0.32551.1583>: enotconn (socket is not connected)"
}

ansamHox · September 27, 2023, 9:23pm

why is it pid after gsub still with the brackets (<0.32551.1583>)

leandrojmp · September 27, 2023, 9:27pm

Oh yeah, my mistake, I thought it worked on the first try.

Just need to change the gsub to this:

gsub => ["pid","[<>]",""]

And the <> will be removed.

ansamHox · September 27, 2023, 9:32pm

thanks

system · October 25, 2023, 9:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.