To get message field for json filter

Elastic Stack Logstash
1

Hi Team,

I use json filter to parse my json data but my json data has "message" value. that's why ı'm not able to get standard message field which have all parsed log. I just have "message" field which come from json log data. How can I get both message field ? I tried to rename message field for json data but was not able to get message field which show whole parsed log.

json data example;
mxlayer[2076559]: {"message":"Not a valid password","context":{"type":"RESTAPI","subtype":"RESPONSE","details":

2

Hi @a.emrekaraman,

To confirm, by JSON filter, are you suggesting you're using Logstash to ingest data into Elasticsearch?

3

Hi Carly,

Yes, I'm using logstash to ingest data into elasticsearch.

Thanks

4

Thanks for confirming @a.emrekaraman. I've changed the topic of your question to Logstash.

Can you share your current configuration and what you mean by:

get both message field

Would it not just be the case of pulling out the message field using the source attribute?

5

Not clear what is the main problem:

  • message and message inside ->use [event][orginal] which contains LS "message" no the field inside
  • incorrect JSON structure ->use grok to extract fields

Edit: Another thing, you can use also different "target"=> "something"

By default, it will place the parsed JSON in the root (top level) of the Logstash event, but this filter can be configured to place the JSON into any arbitrary event field, using the target configuration.

1 Like
7

Not sure have you solved. Might be:

  • your message is not pure JSON structure - have more fields inside the message
  • it hasn't been properly formatted, use JSON viewer like https://jsonlint.com/ to discover data inconsistency
  • your data is not valid in some cases like too long line don't have quotes at the end
8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.