Parsing data from the message field of incoming json

davidmnoriega · August 17, 2017, 12:07am

I've configured some services to send their logs to rsyslog, which then in turns sends them to logstash as json. The issue is these services have their own format, they include their own timestamp, etc.

{
  "_index": "syslog-index",
  "_type": "syslog",
  "_id": "AV3tQLi_sYGi6CaqpdbE",
  "_score": 1,
  "_source": {
    "severity": "info",
    "@timestamp": "2017-08-16T22:53:48.088Z",
    "host": "packstack",
    "@version": "1",
    "tag": "gnocchi-metricd:",
    "message": "2017-08-16 15:53:48.086 3352 INFO gnocchi.cli [-] 0 measurements bundles across 0 metrics wait to be processed.",
    "type": "syslog",
    "facility": "local3",
    "timestamp": "2017-08-16T15:53:48.087998-07:00"
  },
  "fields": {
    "timestamp": [
      1502924028087
    ],
    "@timestamp": [
      1502924028088
    ]
  }
}

Trouble is I'm not finding examples of taking the message field and breaking that down.

magnusbaeck · August 17, 2017, 3:46am

Use a grok filter. There are tons of examples of that, e.g. here: https://www.elastic.co/guide/en/logstash/current/config-examples.html

system · September 14, 2017, 3:46am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.