Parse rabbitmq json log

ansamHox · September 27, 2023, 7:36pm

Hi, got json log message from rabbit as

{"timestamp":"2022-12-21 03:14:59.977922+02:00","level":"error","msg":"Error on AMQP connection <0.32551.1583>: enotconn (socket is not connected)","domain":"rabbitmq.connection","pid":"<0.32551.1583>"

JSONs are not parsed by default, i only got message field in ES, but I would like to extract 3 fields (actually 4)

*time as a timestamp in ISO8601 format, not this default RFC 3339 format
*loglevel as a text or keyword
*pid as a keyword without <> braces
*msg as a "message"

It should look in Kibana like this:

"time": "2022-12-21T02:14:59+01:00"
"level": "error"
"message": "Error on AMQP connection <0.32551.1583>: enotconn (socket is not connected)"
"pid": "0.32551.1583"

Tried to play with grok and json filters without luck converting timestamp from RFC 3339 to ISO8601, any input would be appreciated. Thanks.

leandrojmp · September 27, 2023, 8:30pm

What does your Logstash configuration file looks like?

leandrojmp · September 27, 2023, 8:41pm

If your json log looks like this:

{"timestamp":"2022-12-21 03:14:59.977922+02:00","level":"error","msg":"Error on AMQP connection <0.32551.1583>: enotconn (socket is not connected)","domain":"rabbitmq.connection","pid":"<0.32551.1583>"}

Then this filter will parse it:

filter {
    json {
        source => "message"
        remove_field => ["message"]
    }
    mutate {
        gsub => ["pid","<>",""]
        rename => {
            "msg" => "message"
        }
    }
    date {
        match => ["timestamp","yyyy-MM-dd HH:mm:ss.SSSSSSZZ"]
        target => "time"
        remove_field => ["timestamp"]
    }
}

The gsub will remove the <> from your pid field, and the rename will rename msg into message.

The date filter will parse your date format into ISO8601.

The output would be something like this:

{
    "@timestamp" => 2023-09-27T20:38:17.726537839Z,
      "@version" => "1",
           "pid" => "<0.32551.1583>",
        "domain" => "rabbitmq.connection",
          "time" => 2022-12-21T01:14:59.977Z,
         "level" => "error",
          "host" => "lab",
       "message" => "Error on AMQP connection <0.32551.1583>: enotconn (socket is not connected)"
}

ansamHox · September 27, 2023, 9:23pm

why is it pid after gsub still with the brackets (<0.32551.1583>)

leandrojmp · September 27, 2023, 9:27pm

Oh yeah, my mistake, I thought it worked on the first try.

Just need to change the gsub to this:

gsub => ["pid","[<>]",""]

And the <> will be removed.

ansamHox · September 27, 2023, 9:32pm

thanks

system · October 25, 2023, 9:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to Parse Json log format by ConfigMap in Logstash Logstash	5	1200	March 17, 2019
Duplicated lines when parsing rabbitmq logs§ Logstash	3	367	November 6, 2020
"_jsonparsefailure" Getting Error while reading messages from RabbitMQ Logstash	7	449	May 7, 2021
Parsing data from the message field of incoming json Logstash	2	626	September 14, 2017
Extract json fields from message Logstash	6	805	May 7, 2021

Parse rabbitmq json log

Related topics