Parsing data from the message field of incoming json

davidmnoriega · August 17, 2017, 12:07am

I've configured some services to send their logs to rsyslog, which then in turns sends them to logstash as json. The issue is these services have their own format, they include their own timestamp, etc.

{
  "_index": "syslog-index",
  "_type": "syslog",
  "_id": "AV3tQLi_sYGi6CaqpdbE",
  "_score": 1,
  "_source": {
    "severity": "info",
    "@timestamp": "2017-08-16T22:53:48.088Z",
    "host": "packstack",
    "@version": "1",
    "tag": "gnocchi-metricd:",
    "message": "2017-08-16 15:53:48.086 3352 INFO gnocchi.cli [-] 0 measurements bundles across 0 metrics wait to be processed.",
    "type": "syslog",
    "facility": "local3",
    "timestamp": "2017-08-16T15:53:48.087998-07:00"
  },
  "fields": {
    "timestamp": [
      1502924028087
    ],
    "@timestamp": [
      1502924028088
    ]
  }
}

Trouble is I'm not finding examples of taking the message field and breaking that down.

magnusbaeck · August 17, 2017, 3:46am

Use a grok filter. There are tons of examples of that, e.g. here: https://www.elastic.co/guide/en/logstash/current/config-examples.html

system · September 14, 2017, 3:46am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parse "message" field on Syslog Logstash	4	1380	March 28, 2021
Logstash Filter JSON syslog message field is not getting parsed Logstash	4	555	August 15, 2022
Parsing Logstash Message Fields Logstash	6	433	April 26, 2021
Logstash JSON field from syslog to flat fields? Logstash	3	368	February 27, 2019
Elastic Json parse into logstash Logstash	30	1201	November 22, 2018

Parsing data from the message field of incoming json

Related topics