CODEWITHSUNDEEP
logstashlogstash-grok
Teja Chowdary
Teja Chowdary

Reputation: 21

how to wrire grok expression for json

Hello can any one help me in writing a grok patter for this json.

{  
   "loggerFqcn":"org.apache.commons.logging.impl.SLF4JLocationAwareLog",
   "level":"INFO",
   "endOfBatch":true,
   "thread":"[cridtest].HTTP_Listener_Configuration.worker.01",
   "message":"[[Application = CorrelationID PoC]  [serverTime=2017-10-20T11:43:06.932-04:00] [CorrelationID = 5dec5af0-b5ad-11e7-b80d-f8597191971c] ]",
   "threadPriority":5,
   "threadId":88,
   "@timestamp":"2017-10-20T15:43:07.143Z",
   "port":60797,
   "@version":"1",
   "host":"73.132.64.252",
   "loggerName":"org.mule.api.processor.LoggerMessageProcessor",
   "timeMillis":1508514186945
}

Upvotes: 2

Views: 3642

Answers (2)

sysadmin1138
sysadmin1138

Reputation: 1303

If that JSON is in fact well formed, you will be far better served using the json {} filter to parse that. Assuming that's coming in on the message field:

filter {
  json {
    source => "message"
    target => "json_data"
  }
}

This will dump the parsed datastructure as sub-fields under the json_data field. You can use later mutate {} filter calls to drop the fields you don't want, or locate them into a different part of the event.

filter {
  mutate {
    add_field    => { "host" => "%{json_data.host}" }
    remove_field => [ "json_data.host" ]
  }
}

Which will move the encoded host to the top of the event.

Upvotes: 4

lotfi1991
lotfi1991

Reputation: 35

You can use this pattern generator :

https://grokdebug.herokuapp.com/

Example Grok-pattern:

{%{QS}:%{QS}, %{QS}:%{QS}, %{QS}:true, %{QS}:%{QS}, %{QS}:%{QS}, %{QS}:5, %{QS}:88, %{QS}:%{QS}, %{QS}:60797, %{QS}:%{QS}, %{QS}:%{QS}, %{QS}:%{QS}, %{QS}:1508514186945}

Upvotes: -1

Related Questions