Parsing JSON objects

Maek_Twain · April 5, 2018, 11:24am

I have a json logs coming from websites like this

"{\"path\":\"/visitors/events/\",\"value\":{\"fingerprint\":\"b9fcd389db7f5ca5fad9c767909c481a\",\"sessionId\":\"d7c41580-6155-1b2c-27f5-65c7e19a7174\",\"visitorId\":\"82a9178c-09f8-b021-1815-b558ce48778f\",\"trackingId\":\"INF-XXXXXXX\",\"userId\":null,\"userProfile\":null,\"target\":{\"selector\":\"p:nth-child(3)\"},\"duration\":2587.200000009034,\"timestamp\":\"2018-04-05T11:12:22.045Z\",\"event\":\"engage\",\"source\":{\"url\":{\"hash\":\"#nodeunit-header\",\"host\":\"localhost:8000\",\"hostname\":\"localhost\",\"pathname\":\"/test-api.html\",\"protocol\":\"http:\",\"query\":{\"q\":\"super duper query\"}}}}}

or like this -

"{\"path\":\"/visitors/events/\",\"value\":{\"fingerprint\":\"b9fcd389db7f5ca5fad9c767909c481a\",\"sessionId\":\"d7c41580-6155-1b2c-27f5-65c7e19a7174\",\"visitorId\":\"82a9178c-09f8-b021-1815-b558ce48778f\",\"trackingId\":\"INF-XXXXXXX\",\"userId\":null,\"userProfile\":null,\"timestamp\":\"2018-04-05T11:12:18.786Z\",\"event\":\"click\",\"source\":{\"url\":{\"hash\":\"#nodeunit-header\",\"host\":\"localhost:8000\",\"hostname\":\"localhost\",\"pathname\":\"/test-api.html\",\"protocol\":\"http:\",\"query\":{\"q\":\"super duper query\"}}}}}",

I am using Elastic stack using docker where I am sending above via filebeats --> Logstash --> ES.

Using kibana for visualisation what I need is to filter on the above key inside the json,i have gone through various post related to Logging using json_decoding and other methods like splitting.

None of them working my configuration is ass below.

filebeat.prospectors:
  paths:
    - /var/logs/websocket.log
  multiline.pattern: '^{'
  multiline.negate: true
  multiline.match:  after
  processors:
  - decode_json_fields:
      fields: ['message']
      target: json

#output.elasticsearch:
#  hosts: ['elasticsearch:9200']
#  username: elastic
#  password: changeme
output.logstash:
  hosts: ["logstash:5044"]

And my Logstash conf

input {
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => [ 'elasticsearch' ]
    manage_template => false
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
    user     => 'elastic'
    password => 'changeme'
  }
}

Point me to a direction.

jsoriano · April 5, 2018, 2:06pm

The logs have to contain a json object on each line. Are the lines in the logs exactly as you pasted them? If they are they contain escape characters that cannot be parsed as JSON.

Regarding configuration, you should use json options of the filebeat prospector.

system · May 3, 2018, 2:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parse array in Json log file with Filebeat 7.7.1 Beats filebeat	3	566	January 11, 2023
Read JSON objects from JSON file with Filebeat Beats filebeat	1	1316	May 14, 2019
Json Parsing using Filebeat Beats filebeat	3	730	December 18, 2018
How to read log json array format with filebeat Beats filebeat	11	3173	September 20, 2017
Not able to parse below multiple json objects i have lot of json objects like this please provide filebeat input and logstsah configuration for this thank you in advance Beats filebeat	1	270	February 14, 2022

Parsing JSON objects

Related topics