Parse Substring to JSON

hami2608 · December 9, 2021, 1:50pm

Hi,

i have a Droptailer Pod in my Kubernetes Cluster with the following log example:

2021-12-09 13:46:32 +0000 UTC {"DPT":"161","DST":"XXX.XXX.XXX.XXX","ID":"54321","IN":"vrf104009","LEN":"48","MAC":"XX:XX:XX:XX:XX:XX:XX:XX:XX:XX","OUT":"vlan1000","PREC":"0x00","PROTO":"UDP","SPT":"39002","SRC":"YY.YY.YY.YY","TOS":"0x00","TTL":"242","timestamp":"2021-12-09 13:46:32 +0000 UTC"}

Now i fail by parsing the json part from the logentry becouse of the timestamp in front of it.
How can i get the JSON in a proper format?

Thx!

AquaX · December 9, 2021, 4:09pm

Send the data to a logstash instance and then there you can create a grok pattern to filter out the timestamp and then just recognize the JSON afterwards.

A grok pattern like this should work

%{DATE} %{TIME} \+0000 UTC %{GREEDYDATA:json_data}

Then use the JSON filter to parse the json_data field.

Topic		Replies	Views
How to parse JSON field obtained from split filter Logstash	5	876	July 10, 2018
Mixed log with timestamp and json data Logstash	2	1232	July 6, 2017
Log with json value and timestamp value from syslog Beats filebeat	4	1206	February 23, 2018
Convert JSON formatted apache log time to datetime Logstash	1	891	August 17, 2017
Changing a term in a json to become the timestamp from filebeat Logstash	5	2660	April 2, 2017

Parse Substring to JSON

Related topics