Here is an example Parse JSON string contained in a Syslog message
This uses grok to parse off the syslog headers before using the json filter
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGBASE} %{GREEDYDATA:syslog_message}" }
}
json {
source => { source => "syslog_message" }
}
}