this is an example of my log file..
{"LogMsg":"{"deviceId":"911490250554400","description":"P701","owner":"admin","passcodeEnabled":"false","batteryLevel":18.0,"internalAvailableMemory":2.78478848E8,"latitude":11.0131367,"longitude":76.9832415,"appName":"AnTuTu%20Benchmark","appMemoryUsage":34976,"appStatus":"true"}"}
{"LogMsg":"{"deviceId":"4604d6a6f15593eb","description":"iball8735m_9706","owner":"admin","passcodeEnabled":"false","batteryLevel":55.0,"internalAvailableMemory":3.57023744E8,"latitude":12.9719136,"longitude":80.2174182,"appName":"Asphalt%20Nitro","appMemoryUsage":0,"appStatus":"false"}"}
{"LogMsg":"{"deviceId":"911490250554400","description":"P701","owner":"admin","passcodeEnabled":"false","batteryLevel":18.0,"internalAvailableMemory":2.78478848E8,"latitude":11.0131367,"longitude":76.9832415,"appName":"AnTuTu%20Benchmark","appMemoryUsage":34976,"appStatus":"true"}"}
{"LogMsg":"{"deviceId":"4604d6a6f15593eb","description":"iball8735m_9706","owner":"admin","passcodeEnabled":"false","batteryLevel":55.0,"internalAvailableMemory":3.57023744E8,"latitude":12.9719136,"longitude":80.2174182,"appName":"Asphalt%20Nitro","appMemoryUsage":0,"appStatus":"false"}"}
Use the gsub setting in the mutate filter. I've used it the past. Here's the link and example from the logstash docs.
Good Luck!
filter {
mutate {
gsub => [
# replace all forward slashes with underscore
"fieldname", "/", "_",
# replace backslashes, question marks, hashes, and minuses
# with a dot "."
"fieldname2", "[\\?#-]", "."
]
}
}can you please tell what is error in my logstash filter ..
filter {
mutate {
gsub => [ "LogMsg", "", "." ]
}
}
i get this error
[2017-07-06T13:06:34,602][ERROR][logstash.agent ] Cannot create pipeline {:reason=>"Expected one of #, {, ,, ] at line 15, column 24 (byte 264) after filter {\n mutate {\n gsub => [\n # replace backslashes, question marks, hashes, and minuses\n # with a dot "."\n "message", "\", ""}
[2017-07-06T13:07:23,590][ERROR][logstash.agent ] Cannot create pipeline {:reason=>"Expected one of #, {, ,, ] at line 15, column 24 (byte 264) after filter {\n mutate {\n gsub => [\n # replace backslashes, question marks, hashes, and minuses\n # with a dot "."\n "message", "\", ""}
Be aware of escaping any backslash in the config file.
try this...
filter {
mutate {
gsub => [ "LogMsg", "\\", "." ]
}
}i tried and i get this error
[2017-07-06T13:28:32,381][ERROR][logstash.agent ] Cannot create pipeline {:reason=>"Expected one of #, {, ,, ] at line 15, column 23 (byte 224) after filter {\n mutate {\n gsub => [\n # replace backslash\n # with a dot "."\n "LogMsg", "\", ""}
You don't have validate json because you're adding dots. Try this.
filter {
mutate {
gsub => [ "LogMsg", "\\", "" ]
}
}
I suggest taking one of your example log lines and manually removing the \ then validate your json with https://jsonformatter.curiousconcept.com/
i did.now it show this error
[2017-07-06T13:52:07,579][ERROR][logstash.agent ] Cannot create pipeline {:reason=>"Expected one of #, {, ,, ] at line 12, column 33 (byte 171) after filter {\n mutate {\n gsub => [ "LogMsg", '\\' , '"}
do we have to use Logmsg or only message in the gsub field
The example log lines are from your log or logstash output? Can you share your logstash conf?
The contents of the LogMsg field is a JSON string so you should use a json filter to deserialize it. Do not use gsub.
Thank you so much it worked with JSON filter
filter {
json {
source => "message"
}
json {
source => "LogMsg"
}
}
Now its working correctly
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.