Hi Team,
New to ELK environment so please bear with me.
I'm trying to ingest data from json file and visualise in kibana. The ingest itself is working but the message is coming as: "message" => " "totalCount": 83\r",
-
- how can i remove the \r" from the message
-
- inside kibana the index needs to have value of 83 instead of being counted as 1
-
- how can i format the json data to comeup as needAttention: 0, knownMalware: 37
JSON file:
{
"data": {
"malwareCountFilters": [
{
"count": 0,
"filter": "needsAttention"
},
{
"count": 37,
"filter": "KnownMalware"
},
{
"count": 0,
"filter": "UnknownMalware"
},
{
"count": 46,
"filter": "FilelessMalware"
},
{
"count": 0,
"filter": "ApplicationControlMalware"
}
],
"totalCount": 83
},
"expectedResults": 0,
"failedServersInfo": null,
"failures": 0,
"hidePartialSuccess": false,
"message": "",
"status": "SUCCESS"
}
logstash conf:
input {
file {
path => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
start_position => "beginning"
sincedb_path => "NUL"
}
}
filter {
json { source => "message" }
mutate { remove_field => [ "@version", "name", "host", "original", "file", "@timestamp", "path" ] }
}
output{
elasticsearch{
hosts => ["https://localhost:9200"]
index => "cybereason"
ssl => true
ssl_certificate_verification => false
user => "user"
password => "pwd@pwd"
}
stdout { codec => rubydebug }
}
logstash output:
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => "{\r",
"event" => {
"original" => "{\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " \"data\": {\r",
"event" => {
"original" => " \"data\": {\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " \"malwareCountFilters\": [\r",
"event" => {
"original" => " \"malwareCountFilters\": [\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " {\r",
"event" => {
"original" => " {\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " \"count\": 0,\r",
"event" => {
"original" => " \"count\": 0,\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " \"filter\": \"needsAttention\"\r",
"event" => {
"original" => " \"filter\": \"needsAttention\"\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " },\r",
"event" => {
"original" => " },\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " {\r",
"event" => {
"original" => " {\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " \"count\": 37,\r",
"event" => {
"original" => " \"count\": 37,\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " \"filter\": \"KnownMalware\"\r",
"event" => {
"original" => " \"filter\": \"KnownMalware\"\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " },\r",
"event" => {
"original" => " },\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " {\r",
"event" => {
"original" => " {\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " \"count\": 0,\r",
"event" => {
"original" => " \"count\": 0,\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " \"filter\": \"UnknownMalware\"\r",
"event" => {
"original" => " \"filter\": \"UnknownMalware\"\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " },\r",
"event" => {
"original" => " },\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " {\r",
"event" => {
"original" => " {\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " \"count\": 46,\r",
"event" => {
"original" => " \"count\": 46,\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " \"filter\": \"FilelessMalware\"\r",
"event" => {
"original" => " \"filter\": \"FilelessMalware\"\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " },\r",
"event" => {
"original" => " },\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " {\r",
"event" => {
"original" => " {\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " \"count\": 0,\r",
"event" => {
"original" => " \"count\": 0,\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " \"filter\": \"ApplicationControlMalware\"\r",
"event" => {
"original" => " \"filter\": \"ApplicationControlMalware\"\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " }\r",
"event" => {
"original" => " }\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " ],\r",
"event" => {
"original" => " ],\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " \"totalCount\": 83\r",
"event" => {
"original" => " \"totalCount\": 83\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " },\r",
"event" => {
"original" => " },\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " \"expectedResults\": 0,\r",
"event" => {
"original" => " \"expectedResults\": 0,\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " \"failedServersInfo\": null,\r",
"event" => {
"original" => " \"failedServersInfo\": null,\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " \"failures\": 0,\r",
"event" => {
"original" => " \"failures\": 0,\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " \"hidePartialSuccess\": false,\r",
"event" => {
"original" => " \"hidePartialSuccess\": false,\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " \"message\": \"\",\r",
"event" => {
"original" => " \"message\": \"\",\r"
}
}
{
"tags" => [
[0] "_jsonparsefailure"
],
"log" => {
"file" => {
"path" => "C:/ELK/logstash/Cyberreason/cybereasonoutput.json"
}
},
"message" => " \"status\": \"SUCCESS\"\r",
"event" => {
"original" => " \"status\": \"SUCCESS\"\r"
}
}