Hi. I have input string
{'message': 'send data to', 'payload': {'params': {'cardNo': '77'}}, 'remote-url': 'https://api.com/status', 'cookie': {}, 'headers': {'User-Agent': 'req', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'Authorization': 'b*********'', 'Content-Type': 'application/json'}, 'method': 'GET'}\n
I use this filter in logstash
filter {
if "testjson" in [tags] {
grok {
match => { "message" => ["%{TIMESTAMP_ISO8601:timestamp} - %{WORD:logger} - %{LOGLEVEL:loglevel} - %{NUMBER:user_id} - %{IPORHOST:request_ip} - %{URI:request_uri} - %{UUID:requies_id} - %{GREEDYDATA:body}"] }
remove_field => "message"
}
mutate {
gsub => ["body", '"',"'"]
}
kv {
source => "body"
# remove_field => ["body"]
target => "testjson"
field_split => ", "
value_split => ":"
trim_key => " "
trim_value => " "
}
json {
source => "testjson"
}
}
And have this result
"testjson": {
"'Authorization'": "'b*********''",
"'Content-Type'": "'application/json'}",
"'method'": "'GET'}\\n",
"{'message'": "send data to",
"'cookie'": "{}",
"'remote-url'": "https://api.com/status",
"'headers'": "{'User-Agent':",
"'Connection'": "keep-alive",
"'Accept'": "*/*",
"{'cardNo'": "'77'}}",
"'Accept-Encoding'": "gzip, deflate",
"'payload'": "{'params':"
},
How I can fixed filter for fields like this "{'message'" and "'headers'": "{'User-Agent':"
and parse 'payload': {'params': {'cardNo': '77'}} whitout errors