Send unparsed JSON as a field to the elasticsearch from logstash

Elastic Stack Logstash
1

I have this message log:

10:49:38,664 INFO (ajp-executor-threads - 156) JAR:SOME_JAR ESB66ID:6648 ISV:2019H01B18 SOL:1 NC:1 SRV:CAHREST001 INPUT:{"someky": "somevalue"}

And this grok pattern:

%{TIME:hora} INFO \(ajp-executor-threads - %{NUMBER:thread}\) JAR:%{WORD:jar} ESB66ID:%{NUMBER:esb66id} ISV:%{WORD:isv} SOL:%{NUMBER:sol} NC:%{NUMBER:nc} SRV:%{WORD:service}

The results of applying the grok filter it's this:

{
  "time": [
    "10:49:38,664"
  ],
  "thread": [
    "156"
  ],
  "jar": [
    "SOME_JAR"
  ],
  "esb66id": [
    "6648"
  ],
  "isv": [
    "2019H01B18"
  ],
  "sol": [
    "1"
  ],
  "nc": [
    "1"
  ],
  "service": [
    "CAHREST001"
  ]
}

How can I get this result, that is, that the JSON be send as one field; unparsed, to the elasticsearch?

{
  "time": [
    "10:49:38,664"
  ],
  "thread": [
    "156"
  ],
  "jar": [
    "SOME_JAR"
  ],
  "esb66id": [
    "6648"
  ],
  "isv": [
    "2019H01B18"
  ],
  "sol": [
    "1"
  ],
  "nc": [
    "1"
  ],
  "service": [
    "CAHREST001"
  ],
  input: [
	{"somekey", "somevalue"}
  ]
}

I tried something like this with no success:

%{TIME:hora} INFO \(ajp-executor-threads - %{NUMBER:thread}\) JAR:%{WORD:jar} ESB66ID:%{NUMBER:esb66id} ISV:%{WORD:isv} SOL:%{NUMBER:sol} NC:%{NUMBER:nc} SRV:%{WORD:service} INPUT:%{DATA:input}

2

Use INPUT:%{GREEDYDATA:input} instead of INPUT:%{DATA:input}. I do not understand the difference between greedy and lazy well enough to explain why :slight_smile:

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.