Parsing json nested in json from log firehose

Example Log:

<6> 2020-03-13T21:20:46Z aea1b92e-07fe-4e21-7684-7f94 doppler[17]: 
{"cf_app_id":"174545fd-aee6-4d7c-819c-6c94cdf3b68c",
"cf_app_name":"cobra-inbound-read-api",
"cf_org_id":"eb84d2e9-e049-45c3-9a08-a776662be11c",
"cf_org_name":"test-dev-cobra",
"cf_origin":"firehose",
"cf_space_id":"ad85c9b9-bd6f-4db3-9e10-35320da40f01",
"cf_space_name":"inbound",
"deployment":
"cf-434dec3ada8db15170a4",
"event_type":"LogMessage",
"ip":"00.31.56.91",
"job":"diego_cell",
"job_index":"e2b76e28-450a-46b8-816f-f4d642bfcdb9",
"level":"info",
"message_type":"OUT",
"msg":" {\"platform_name\":\"Cobra\",\"application_name\":\"Inbound\",\"service\":\"ReadAPI\",\"message\":\"Updated KeyManager for /etc/cf-instance-credentials/instance.key and /etc/cf-instance-credentials/instance.crt\",\"line_number\":143,\"class\":\"org.cloudfoundry.security.FileWatchingX509ExtendedKeyManager$FileWatcherCallback\",\"@version\":1,\"source_host\":\"a36e2997-c6de-423c-753a-51ec\",\"thread_name\":\"file-watcher-instance.key-0\",\"@timestamp\":\"2020-03-13T16:20:45.464-05:00\",\"level\":\"INFO\",\"file\":\"FileWatchingX509ExtendedKeyManager.java\",\"method\":\"run\",\"logger_name\":\"org.cloudfoundry.security.FileWatchingX509ExtendedKeyManager\",\"exception\":{\"exception_class\":null,\"exception_message\":null,\"stacktrace\":null}}",
"origin":"rep",
"source_instance":"0",
"source_type":"APP/PROC/WEB",
"time":"2020-03-13T21:20:46Z",
"timestamp":1584134445464682039}

Config File:

filter {

grok {
            match => ["message", "(?<json_data>{.*})"]}

json {
            source => "json_data"
			
json {
            source => "[json_data][msg]"
			target => "Pivotalmsg"}
}

My "msg" field still doesn't get parsed, the json blob just populates the field. New to this and have 0 idea what i'm doing, any help is greatly appreciated.

You have not included a target option on the first filter, so [msg] will exist at the top level. Thus this should be

source => [msg]
1 Like

Thank you! I thought something like that but online examples don't make it clear.