dev devv
Reputation: 95
Kibana. Extract fields from @message containing a JSON
I would like to extract in Kiabana fields from @message field which contains a json. ex:
Audit{
uuid='xxx-xx-d3sd-fds3-f43',
action='/v1.0/execute/super/method',
resultCode='SUCCESS',
browser='null',
ipAddress='192.168.2.44',
application='application1',
timeTaken='167'
}
Having "action" and "application" fields I hope to be able to find top 5 requests that hits the application.
I started with something similar to this:
filter {
if ([message]~ = "Audit") {
grok {
match => {
"message" => "%{WORD:uuid}, %{WORD:action}, %{WORD:resultCode}, %{WORD:browser}, %{WORD:ipAddress}, %{WORD:application}, %{NUMBER:timeTaken}"
}
add_field => ["action", "%{action}"]
add_field => ["application", "%{application}"]
}
}
}
But it seems to be too far from reality.
Upvotes: 2
Views: 3488
Answers (1)
HauLuk
Reputation: 155
If the content of "Audit" is really in json format, you can use the filter plugin "json"
json{
source => "Audit"
}
It will do the parsing for you and creates everything. You don't need grok / add_field.
Upvotes: 1
Related Questions
- Parsing JSON to Kibana using Grok Filter
- grok pattern to parse the logs in logstash
- Extract from LogStash message field in Kibana dashboard
- Extract JSON from a log Logstash
- grok pattern to extract data from log message
- Extracting a json field using Kibana
- Can I use Kibana to parse the message field
- Parsing JSON file into logstash
- How to pull specific data out of a message in LogStash
- Extracting fields in Logstash