Hello,
I'm trying to parse a json file with a string at the beginning of each object. What is the easiest way to bypass the initial string or parse the json with string at the beginning?
Here is an example of the JSON:
string {"field": "value"}
Use mutate+gsub to remove the string.
1 Like
filter {
mutate {
gsub => [ "message", "string ", "" ]
}
json {
source => "message"
}
}
1 Like
Ok, I have something similar. To give context the strings are domain names and they're all different. I'm trying to use regex, but every domain is different including numbers with text, just numbers, or just text.
If there is always a space after the text domainname { then an easy option is to just grok after that first space.
filter {
grok {
match => { "message" => " %{GREEDYDATA:new_message}" }
}
json {
source => "new_message"
}
mutate {
remove_field => [ "new_message", "message" ]
}
}
Output
{
"@timestamp" => 2021-09-29T14:33:23.008Z,
"field" => "value"
}
1 Like
I'm giving it a try right now.
If you always have this format:
string1 {json}
string2 {json}
string3 {json}
You could also use a dissect filter to split your message in two parts.
dissect {
mapping => {
"message" => "%{domainName} %{jsonData}"
}
}
So for the following example:
string1 {"field": "value"}
This dissect filter will create two fields:
domainName: "string1"
jsonData: {"field": "value"}
Then you can use the json fitler with the jsonData field.
This is similar to the grok example, but dissect uses less CPU.
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.