input {
file {
path => [ "/path/file.json" ]
start_position => beginning
sincedb_path => "/dev/null"
codec => multiline
{
pattern => '^\s*{'
negate => true
what => previous
auto_flush_interval => 1
multiline_tag => ""
}
}
}
filter {
mutate
{
gsub => [ 'message',"\s*{\r\n\s*",'{']
gsub => [ 'message',",\r\n\s*",',']
gsub => [ 'message',"\r\n\s*},\r",'}']
gsub => [ 'message',"\r\n\s*}\s*]\r",'}']
}
if [message] =~ /^\[|\]/ {
drop {}
}
else {
json { source => "message" }
}
date {
match => ["discovered", "yyyy-MM-dd HH:mm:ss.SSSSSS"]
#timezone => "Asia/Dubai"
target=> "discovered"
}
}
output {
stdout { }
}
Result:
{
"message" => "{\"post_title\": \"Windemuller\",\"group_name\": \"lorenz\",\"discovered\": \"2020-01-12 00:00:00.000000\"}",
"post_title" => "Windemuller",
"@timestamp" => 2023-09-30T18:11:06.538084300Z,
"@version" => "1",
"group_name" => "lorenz",
"discovered" => 2020-01-11T23:00:00.000Z
}
{
"message" => "{\"post_title\": \"Leaks Company Birch Communications inc.\",\"group_name\": \"ragnarlocker\",\"discovered\": \"2020-06-10 00:00:00.000000\"}",
"post_title" => "Leaks Company Birch Communications inc.",
"@timestamp" => 2023-09-30T18:11:06.539095700Z,
"@version" => "1",
"group_name" => "ragnarlocker",
"discovered" => 2020-06-09T22:00:00.000Z
}
{
"message" => "{\"post_title\": \"Brunner Announce ? Hello World !\",\"group_name\": \"ragnarlocker\",\"discovered\": \"2020-06-11 00:00:00.000000\"}",
"post_title" => "Brunner Announce ? Hello World !",
"@timestamp" => 2023-09-30T18:11:06.540077Z,
"@version" => "1",
"group_name" => "ragnarlocker",
"discovered" => 2020-06-10T22:00:00.000Z
}
{
"message" => "{\"post_title\": \"INC RANSOMWARE...\",\"group_name\": \"donutleaks\",\"discovered\": \"2023-09-30 04:27:49.408003\"}",
"post_title" => "INC RANSOMWARE...",
"@timestamp" => 2023-09-30T18:11:08.028026200Z,
"@version" => "1",
"group_name" => "donutleaks",
"discovered" => 2023-09-30T02:27:49.408Z
}