Hello
I have log lines containing of two parts - plain-text and json. Example line below:
Jun 13 07:58:00 c4e-gen1 c4edlog[555007]: {"level":"info","commit":"436F6D6D697449447B5B3135362031303720362036362032353120323331203133302035322032382038382036352038322035302031313820313330203133392031303420353720323136203234362037302032313920313835203233302031393120323137203135382031313220313137203137302036392031355D3A34353244417D","time":"2022-06-13T07:58:00Z","message":"commit synced"}
I need to parse following information from plain-text part:
hostname - c4e-gen1
process name - c4edlog
pid: - [555007]
date field - can be skipped
From the json part I need to parse all fields.
I split message into two: plain_prefix and json_segment using grok, and i have all fields from json captured as desired, but I don't know how to strip data from plain_prefix
filter {
grok {
match => {
"message" => [ "(?<plain_prefix>^.*?) (?<json_segment>{.*$)" ]
}
}
json {
source => "json_segment"
}
mutate {
remove_field => [ "json_segment" ]
}
}
The result is:
{
"level" => "info",
"@metadata" => {
"input" => {
"http" => {
"request" => {
"headers" => {
"content_length" => "390",
"http_user_agent" => "PostmanRuntime/7.29.0",
"http_accept" => "*/*",
"content_type" => "text/plain",
"request_method" => "PUT",
"request_path" => "/",
"http_host" => "localhost:8080",
"accept_encoding" => "gzip, deflate, br",
"http_version" => "HTTP/1.1",
"postman_token" => "4a6d8105-d613-4450-979c-20b50740acd8",
"connection" => "keep-alive"
}
}
}
}
},
"commit" => "436F6D6D697449447B5B3135362031303720362036362032353120323331203133302035322032382038382036352038322035302031313820313330203133392031303420353720323136203234362037302032313920313835203233302031393120323137203135382031313220313137203137302036392031355D3A34353244417D",
"message" => "commit synced",
"url" => {
"path" => "/",
"port" => 8080,
"domain" => "localhost"
},
"@timestamp" => 2022-06-13T11:41:05.022105Z,
"@version" => "1",
"host" => {
"ip" => "0:0:0:0:0:0:0:1"
},
"plain_prefix" => "Jun 13 07:58:00 c4e-gen1 c4edlog[555007]:",
"http" => {
"request" => {
"mime_type" => "text/plain",
"body" => {
"bytes" => "390"
}
},
"method" => "PUT",
"version" => "HTTP/1.1"
},
"time" => "2022-06-13T07:58:00Z",
"event" => {
"original" => "Jun 13 07:58:00 c4e-gen1 c4edlog[555007]: {\"level\":\"info\",\"commit\":\"436F6D6D697449447B5B3135362031303720362036362032353120323331203133302035322032382038382036352038322035302031313820313330203133392031303420353720323136203234362037302032313920313835203233302031393120323137203135382031313220313137203137302036392031355D3A34353244417D\",\"time\":\"2022-06-13T07:58:00Z\",\"message\":\"commit synced\"}"
},
"user_agent" => {
"original" => "PostmanRuntime/7.29.0"
}
}
I didn't find in existing topics example which I can adopt to my case
Would be grateful for suggestions