Parsing filter for nested json

Hi. I have input string

{'message': 'send data to', 'payload': {'params': {'cardNo': '77'}}, 'remote-url': 'https://api.com/status', 'cookie': {}, 'headers': {'User-Agent': 'req', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'Authorization': 'b*********'', 'Content-Type': 'application/json'}, 'method': 'GET'}\n

I use this filter in logstash

    filter {
      if "testjson" in [tags] {
          grok {
            match => { "message" => ["%{TIMESTAMP_ISO8601:timestamp} - %{WORD:logger} - %{LOGLEVEL:loglevel} - %{NUMBER:user_id} - %{IPORHOST:request_ip} - %{URI:request_uri} - %{UUID:requies_id} - %{GREEDYDATA:body}"] }
            remove_field => "message"
          }

          mutate {
            gsub => ["body", '"',"'"]
          }

          kv {
            source => "body"
    #        remove_field => ["body"]
            target => "testjson"
            field_split => ", "
            value_split => ":"
            trim_key => " "
            trim_value => " "
          }

          json {
            source => "testjson"
          }
       }

And have this result

    "testjson": {
          "'Authorization'": "'b*********''",
          "'Content-Type'": "'application/json'}",
          "'method'": "'GET'}\\n",
          "{'message'": "send data to",
          "'cookie'": "{}",
          "'remote-url'": "https://api.com/status",
          "'headers'": "{'User-Agent':",
          "'Connection'": "keep-alive",
          "'Accept'": "*/*",
          "{'cardNo'": "'77'}}",
          "'Accept-Encoding'": "gzip, deflate",
          "'payload'": "{'params':"
        },

How I can fixed filter for fields like this "{'message'" and "'headers'": "{'User-Agent':"
and parse 'payload': {'params': {'cardNo': '77'}} whitout errors

If that really is your input message then get rid of the grok and kv and just use a json filter.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.