Hi I want to parse the json logs using logstash and send them to elastic .There are multiple nested fields in my logs but I want very specific fields for eg , here is my log format :
{
"_index": "ekslogs-2021.05.27",
"_type": "doc",
"_id": "3Y6zrnkBzzvO6GYmqdMv",
"_version": 1,
"_score": null,
"_source": {
"kubernetes": {
"namespace": "inventory-mgmt",
"replicaset": {
"name": "public-service-5659649fc7"
},
"labels": {
"app_kubernetes_io/routing": "NLB",
"app_kubernetes_io/instance": "mus",
"app_kubernetes_io/managed-by": "Helm",
"app_kubernetes_io/version": "191e179_51",
"helm_sh/chart": "public-service-191e179_51",
"app_kubernetes_io/component": "microservice",
"app_kubernetes_io/part-of": "public-service-management",
"pod-template-hash": "5659649fc7",
"repo": "public-service",
"app_kubernetes_io/name": "public-service",
"app": "mus"
},
"pod": {
"name": "public-service-909090-phj9w",
"uid": "64bd12bd-d07a-4ac2-9409-ac8fc703978e"
},
"node": {
"name": "ip-10-63-21-989.ec2.internal"
},
"container": {
"name": "public-service"
}
},
"message": "{\"@message\":\"User not Authorized\",\"@timestamp\":\"2021-05-27T16:41:17.979Z\",\"@fields\":{\"level\":\"error\",\"context\":{\"code\":401,\"errorCode\":null,\"stack\":\"Authorization header is required.\",\"oStack\":null,\"innerMessage\":null,\"serviceName\":\"public-public-service\"},\"host\":\"public-service-5659649fc7-phj9w\",\"x-correlation-id\":\"d9ajd9hd9a-bf0a-11eb-b16b-d9dd5db88e32\"}}",
"stream": "stdout",
"log": {
"offset": 33501,
"file": {
"path": "/var/lib/docker/containers/ab0e00a90dca71ef4fbf4d7e8aaa3fa711c723c05d6c52b2ffb1c22ed49ad3a4/ab0e00a90dca71ef4fbf4d7e8aaa3fa711c723c05d6c52b2ffb1c22ed49ad3a4-json.log"
}
},
"cloud": {
"availability_zone": "us-east-1b",
"provider": "aws",
"instance": {
"id": "i-6565695695j95n9n65"
},
"machine": {
"type": "m5.2xlarge"
},
"region": "us-east-1"
},
"ecs": {
"version": "1.0.0"
},
"@version": "1",
"tags": [
"beats_input_codec_plain_applied"
],
"input": {
"type": "docker"
},
"@timestamp": "2021-05-27T16:41:17.979Z",
"agent": {
"type": "filebeat",
"id": "0000000-fcd1-4c6c-9e13-5645454",
"version": "7.0.1",
"hostname": "eks-filebeats-wzgkr",
"ephemeral_id": "54185a8b-65a9-4c04-9a92-67b1d3ebbb7a"
},
"host": {
"name": "eks-filebeats-wzgkr"
}
},
"fields": {
"@timestamp": [
"2021-05-27T16:41:17.979Z"
]
},
"highlight": {
"kubernetes.namespace": [
"@kibana-highlighted-field@inventory@/kibana-highlighted-field@-@kibana-highlighted-field@mgmt@/kibana-highlighted-field@"
],
"kubernetes.pod.name": [
"@kibana-highlighted-field@public@/kibana-highlighted-field@-@kibana-highlighted-field@service@/kibana-highlighted-field@-5659649fc7-phj9w"
]
},
"sort": [
1622133677979
]
}
The output I want is something like :
kubernetes
labels
pod
node
container
cloud.instance_id
machine
message (This is the field which contains the application logs in nested format json, I want to extract the values in here as well and bring it up to the root level.)
timestamp
Can anyone help here ??Preformatted text