The output of key_pairs look like
"key_pairs" => "\"lastName\":\"\",\"address\":null,\"relativeIds\":\"135,\",\"gender\":\"Male\",\"city\":433,\"userId\":4265,\"firstName\":\"Shiv\",\"mrTrendingTags\":\"#निरोगी जिवन\\t\\t#आरोग्याचे फायदे\\t\\t#आहार आणि पोषण\\t\\t#वजन कमी होणे\\t\\t#स्किनकेअर\",\"imageUrl\":\"\",\"name\":\"Shiv\",\"middleName\":\"\",\"enTrendingTags\":\"#Healthy Living\\t\\t#Health Benefits\\t\\t#Diet and Nutrition\\t\\t#Weight Loss\\t\\t#SkinCare\",\"state\":21,\"email\":\"\",\"key\":\"kreativsarg@1234\"",
Logstash config file
filter { grok{ match => {"message"=>"%{TIME:time} %{WORD:method}\s(?<java_method>[^(]*)%{GREEDYDATA:message}\{%{GREEDYDATA:key_pairs}\}%{GREEDYDATA:more_data}"} } if "ExUsernamePasswordAuthenticationFilter.successfulAuthentication" in [java_method] { mutate { remove_field => ["message"] remove_field => ["more_data"] remove_field => ["message"] } }else { drop {} } } I triedjson{ source => "key_pairs" target => "parsedJson" remove_field=>["key_pairs"] } But it won't work Thanks