Working with messages with string format and split the fields of them in logstash

Elastic Stack Logstash
1

I have this message:

[ReadDockerQueue] [ReadMessageQueue] message: {"requestType":"PortfolioResponse","parametersJson":"{"algorithmAccessSpecifications":{"dockerName":"D1","xxx":"xxx","userName":"xxx","instanceGuid":"95519e30-d552-4171-bd17-9030ec6116ae"},"usersPortfolios":[{"userName":"0013538225","userPortfolios":}]}"} [Dir] ir.sanayco.library.Algorithm.AlgorithmCoreBase.AlgorithmCoreBase$ReadDockerQueue

I want this output in json format:
{
"Info": "[ReadDockerQueue] [ReadMessageQueue]"
"message": {"requestType":"PortfolioResponse","parametersJson":"{"algorithmAccessSpecifications":{"dockerName":"D1","xxx":"xxx","userName":"xxx","instanceGuid":"95519e30-d552-4171-bd17-9030ec6116ae"},"usersPortfolios":[{"userName":"0013538225","userPortfolios":}]}"}
"desc": "[Dir] ir.sanayco.library.Algorithm.AlgorithmCoreBase.AlgorithmCoreBase$ReadDockerQueue"
}
How can I solve my problem?

2

Easiest is to use grok:

filter {
	grok {
		match => { "message" => '%{DATA:info} message: %{DATA:message}\"\} %{GREEDYDATA:desc}' }
		overwrite => [ "message" ]
	}
	mutate{ update => { "message" => '%{message}"}' } }

}
3

Thank you. It's a great answer

I have another problem in Message field. When I run your code, I receive string format in Message field. I want the output of Message field be a Json. It would be like this:

{
"info": "[ReadDockerQueue] [ReadMessageQueue]",
"message": {
"requestType": "PortfolioResponse",
"parametersJson": {
"algorithmAccessSpecifications ": {
"dockerName ": "D1 ",
"xxx ": "xxx ",
"userName ": "xxx ",
"instanceGuid ": "95519e30 - d552 - 4171 - bd17 - 9030 ec6116ae "
},
"usersPortfolios ": [{
"userName ": "0013538225 ",
"userPortfolios ":
}]
}
},
"desc": "[Dir] ir.sanayco.library.Algorithm.AlgorithmCoreBase.AlgorithmCoreBase$ReadDockerQueue"
}

4

I have noticed that. What you copied or originally had received, the message is not valid JSON format. You can check and correct here
Another option is to manually split by grok or just by ",

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.