I have a problem to generate sub fileds from a json message .
With the following filter I try to check if the field "details" exist and add the json fields to it.
If it doesn't exist the field sould be created with the sub fields, this working.
I tried the following filter but it doesn't work:
if "#json" in [message] {
if ["details"] {
grok { match => {"message" => "[details](\{.*\})"} }
}
else {
grok { match => {"message" => "(?<details>\{.*\})"} }
}
}
In the "if" case the fields won't be added as sub field, everything is connected and writen as string value to the "details" field. Where is my mistake in the "if" case?
To describe the whole thing in more detail, the "details" field does not always exist. If it exists, it already has various subfields and the values from a JSON message should be added as further subfields. The case where the field doesn't exist works for my filter.
In principle, the Json messages always look like this
Some text. #json: {"Value1":10,"Value2":8,"Value3":{"Value4":["Foo","Bar"],"Value5":["Foo","Bla"]}}
I would expect that the if case generate the following fields, which it doesn't do because of a grok parsing error.
I actually thought it would be enough if I changed the string to the field, but that doesn't work. The problem must be here and I don't understand what's wrong with it:
The problem is that some few of our functions have the [details] field occupied, which was not properly implemented by our developers, so it may be that the [details] field already exists with subfields. Therefore the information from the json messages must be added in this field as subfield. I've already forwarded this to the appropriate teams, but it may take a while to clean it up.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.