Thanks Manud, Still no joy.
Configuration
input { file { path => "sample_masked_log" codec => "json" type => "Log" sincedb_path => "/tmp/sincedb" start_position => "beginning" } } filter { mutate { gsub => [ "message", "}{", "} {" ] } split { field => "message" } json { source => "message" } split { field => "[logEvents]" } mutate { add_field => { "log-event-id" => "%{[logEvents][id]}" "log-event-message" => "%{[logEvents][message]}" "log-event-time" => "%{[logEvents][timestamp]}" } remove_field => [ "[message]", "[host]", "[path]", "[logEvents]", "[subscriptionFilters]", "[messageType]" ] } } output { stdout { codec => rubydebug } }
Content of sample_masked_log file
{"messageType": "DATA_MESSAGE","owner": "owner-id","logGroup": "log-group","logStream": "log-stream","subscriptionFilters": ["Destination"],"logEvents": [{"id": "event-id","timestamp": 1573519068908,"message": "{}"},{"id": "event-id","timestamp": 1573519068908,"message": "{}"}]}{"messageType": "DATA_MESSAGE","owner": "owner-id","logGroup": "log-group","logStream": "log-stream","subscriptionFilters": ["Destination"],"logEvents": [{"id": "event-id","timestamp": 1573518985345,"message": "{}"}]}
Output
{
"@timestamp" => 2019-11-13T18:34:20.892Z,
"logGroup" => "log-group",
"type" => "Log",
"log-event-time" => "1573519068908",
"@version" => "1",
"tags" => [
[0] "_split_type_failure"
],
"logStream" => "log-stream",
"log-event-message" => "{}",
"owner" => "owner-id",
"log-event-id" => "event-id"
}
{
"@timestamp" => 2019-11-13T18:34:20.892Z,
"logGroup" => "log-group",
"type" => "Log",
"log-event-time" => "1573519068908",
"@version" => "1",
"tags" => [
[0] "_split_type_failure"
],
"logStream" => "log-stream",
"log-event-message" => "{}",
"owner" => "owner-id",
"log-event-id" => "event-id"
}