Hi,
I'm pretty new to the elastic stack so please excuse any newbie-level ignorance.
Im shipping data from my splunk environment to logstash using the methods detailed in the Splunk Forward data to third-party systems
. documentation.
Ive got the two systems talking to each other, and i can see events from splunk landing in logstash. The challenge that i am having is that the events coming from splunk contain stringified json that doesnt appear to parse correctly.
Using the file
output plugin i can see the contents of the messages
{
"service": {
"type": "system"
},
"type": "aws_ecs",
"@version": "1",
"message": "<13> ip-XXX-XXX-XXX-XXX.ap-southeast-2.compute.internal {\"line\":{\"app\":\"myapp\",\"ts\":\"2024-09-02T03:33:38.344Z\",\"traceId\":\"0f5dd515a04c33f3\",\"clientId\":\"client001\",\"instance\":\"ip-XXX-XXX-XXX-XXX.ap-southeast-2.compute.internal\",\"billing_event_sent\":\"false\",\"service_access_id\":\"my_special_service_id\",\"request_method\":\"GET\",\"subjectId\":\"\",\"remote_host\":\"XXX.XXX.XXX.XXX\",\"execution_time\":\"6\",\"spanId\":\"0f5dd515a04c33f3\",\"uri_path\":\"/v1/my-endpoint\",\"uri_query\":\"itemIds=50597529\\u0026excludeFields=digitalAssets%2CobjectMetadata\",\"X-ID\":\"9ca579d6-dfdf-4469-a310-a81149529599\",\"status\":\"200\",\"msg\":\"usage_start=2024-09-02T03:33:38.337918501,client_id:client001,service_access_id:my_special_service_id\",\"env\":\"uat\",\"logger_version\":\"2\"},\"source\":\"stdout\",\"tag\":\"uat/5ab01221f3374d01af0ab76792db5e79-2470140894/default\",\"attrs\":{\"AppVersion\":\"1.1.0-1383039-6fb8d1dd\",\"CdktfVersion\":\"1.16.4\"}}\n",
"tags": [
"src:splunk",
"sourcetype:aws_ecs",
"_grokparsefailure_sysloginput"
],
"log": {
"syslog": {
"facility": {
"name": "kernel",
"code": 0
},
"severity": {
"name": "Emergency",
"code": 0
},
"priority": 0
}
},
"event": {
"original": "<13> ip-XXX-XXX-XXX-XXX.ap-southeast-2.compute.internal {\"line\":{\"app\":\"myapp\",\"ts\":\"2024-09-02T03:33:38.344Z\",\"traceId\":\"0f5dd515a04c33f3\",\"clientId\":\"client001\",\"instance\":\"ip-XXX-XXX-XXX-XXX.ap-southeast-2.compute.internal\",\"billing_event_sent\":\"false\",\"service_access_id\":\"my_special_service_id\",\"request_method\":\"GET\",\"subjectId\":\"\",\"remote_host\":\"XXX.XXX.XXX.XXX\",\"execution_time\":\"6\",\"spanId\":\"0f5dd515a04c33f3\",\"uri_path\":\"/v1/my-endpoint\",\"uri_query\":\"itemIds=50597529\\u0026excludeFields=digitalAssets%2CobjectMetadata\",\"X-ID\":\"9ca579d6-dfdf-4469-a310-a81149529599\",\"status\":\"200\",\"msg\":\"usage_start=2024-09-02T03:33:38.337918501,client_id:client001,service_access_id:my_special_service_id\",\"env\":\"uat\",\"logger_version\":\"2\"},\"source\":\"stdout\",\"tag\":\"uat/5ab01221f3374d01af0ab76792db5e79-2470140894/default\",\"attrs\":{\"AppVersion\":\"1.1.0-1383039-6fb8d1dd\",\"CdktfVersion\":\"1.16.4\"}}\n"
},
"host": {
"ip": "XX.XX.XX.229"
},
"@timestamp": "2024-09-02T03:33:49.730817594Z"
}
Ideally, i'd like to throw-away the syslog fields and just keep the json that is the original message, but having problems figuring out how to do this.
My config currently looks like this (ive tried a few things that ive found on around here on the forums with no success, so figure its better to ask than keep failing with no real idea why):
input {
syslog {
id => "splunk-syslog"
port => 5514
type => "syslog-splunk"
}
syslog {
id => "sourcetype:aws_ecs"
port => 51414
tags => ["src:splunk", "sourcetype:aws_ecs", "source:my-source-api"]
type => "aws_ecs"
}
}
filter {
if ([type] == "aws:ecs") {
grok {
match => { "message" => "%{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
grok {
overwrite => ["syslog_message"]
}
json {
source => "message"
}
}
}
output {
stdout {}
if [type] == "aws_ecs" {
file {
path => "/var/log/logstash/debug/aws_ecs.log"
file_mode => 0660
codec => json_lines
}
} else {
file {
path => "/var/log/logstash/debug/undefined.log"
file_mode => 0660
codec => json_lines
}
}
}
can someone please help me figure out what i am doing wrong here ?