Hi Jake,
thank you for reaching out.
First of all I'd like to ask you to format your code before posting. Otherwise it'll be really difficult for us to read your posts and replicate your case. Thus, write your code (logstash .conf file, jsons or whatever) in whatever editor you want (Visual Code, Atom, Sublime ...), format and indent it properly, paste it here (leaving a newline before and after the code block), highlight the block of code (or json, or whatever it is) and click on the Preformatted Text icon (
).
This is the right way to post code blocks:
This is the wrong one:
That being said, I see something strange in your pipeline. Why are there 2 filter sections? You can put your filter plugins one after the other in the same filter { } section.
Anyway, looking at your output, it seems to me it correctly parses the syslog_message, in fact, together with the whole message (stored in the syslog_message field), I can see also some other fields (like bytes_sent, product_title, plan_name ...), apparently extracted from the syslog_message.
What do you want to achieve exactly? Do you have any field tags: _jsonparsefailure?
Also, can you post the standard output of the following two pipelines?
input {
tcp {
port => 5514
type => syslog
}
}
filter {}
output {
stdout{}
}
And
input {
tcp {
port => 5514
type => syslog
}
}
filter {
json {
source => "syslog_message"
}
}
output {
stdout{}
}