Hi All,
I am trying to parse the .json file its perfectly getting parsed when I do stdin i.e. per entry but .json being a file with comma separated entries how do I parse using file input parameter?
here is my file and message
[{"remote_host":"112.124.98.67","count":"22995","last_seen":"2017-12-11"},{"remote_host":"38.122.220.1","count":"22163","last_seen":"2017-12-11"},{"remote_host":"40.135
.239.38","count":"18804","last_seen":"2017-12-12"},{"remote_host":"112.5.237.78","count":"17875","last_seen":"2017-12-11"},{"remote_host":"185.148.145.243","count":"151
15","last_seen":"2017-12-10"},{"remote_host":"113.195.145.52","count":"14414","last_seen":"2017-12-11"},{"remote_host":"221.200.82.180","count":"14116","last_seen":"201
7-12-12"},{"remote_host":"114.39.123.78","count":"13687","last_seen":"2017-12-11"},{"remote_host":"60.6.231.144","count":"11871","last_seen":"2017-12-10"},{"remote_host
":"60.6.231.187","count":"10081","last_seen":"2017-12-10"},{"remote_host":"59.56.66.62","count":"10043","last_seen":"2017-12-11"},{"remote_host":"60.6.230.105","count":
"9850","last_seen":"2017-12-10"},{"remote_host":"221.192.242.58","count":"9149","last_seen":"2017-12-10"},{"remote_host":"113.195.145.21","count":"8877","last_seen":"20
17-12-11"},{"remote_host":"114.55.207.244","count":"7542","last_seen":"2017-12-11"}]
####################
`input {
file {
codec => json
path => "/tmp/ishp.json"
start_position => "beginning"
}
stdin { }
}
filter {
grok {
match => [ "message", '%{WORD:host}":"%{IPV4:ipaddr}","%{WORD:count}":"%{INT:nooftimes}","%{WORD:lastseen}":"%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:d
ay}"' ]
}
geoip { source => "ipaddr" }
}
output {
elasticsearch {
hosts => ["172.xx.xx.xx:9200"]
index => "logstash-hp-%{+YYYY.MM.dd}"
template => "/etc/logstash/logstash-template.json"
}
}
stdout { codec => rubydebug }
}
`