Parse Substring to JSON

hami2608 · December 9, 2021, 1:50pm

Hi,

i have a Droptailer Pod in my Kubernetes Cluster with the following log example:

2021-12-09 13:46:32 +0000 UTC {"DPT":"161","DST":"XXX.XXX.XXX.XXX","ID":"54321","IN":"vrf104009","LEN":"48","MAC":"XX:XX:XX:XX:XX:XX:XX:XX:XX:XX","OUT":"vlan1000","PREC":"0x00","PROTO":"UDP","SPT":"39002","SRC":"YY.YY.YY.YY","TOS":"0x00","TTL":"242","timestamp":"2021-12-09 13:46:32 +0000 UTC"}

Now i fail by parsing the json part from the logentry becouse of the timestamp in front of it.
How can i get the JSON in a proper format?

Thx!

AquaX · December 9, 2021, 4:09pm

Send the data to a logstash instance and then there you can create a grok pattern to filter out the timestamp and then just recognize the JSON afterwards.

A grok pattern like this should work

%{DATE} %{TIME} \+0000 UTC %{GREEDYDATA:json_data}

Then use the JSON filter to parse the json_data field.

system · January 6, 2022, 6:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.