add_field logstash after converting value to Json

Question

add_field logstash after converting value to Json

3.2k views Asked by Yatender Singh At 02 January 2017 at 12:47

I have logfile containing log in this form

"{\"user_id\":\"79\",\"timestamp\":\"2016-12-28T11:10:26Z\"‌,\"operation\":\"ver‌3 - Requested for recommended,verified handle information\",\"data\":\"\",\"content_id\":\"\",\"channel_id‌\":\"\"}"

for which I have written logstash configuration

input {
beats {
    port => "5043"
}
}
filter{
    grok {
       match => { "message" => "%{QS:mydata}"}
    }
    json {
       source => "message"
       target => "parsedJson"
    }
    mutate {
       add_field =>{
        "user_id" => "%{[parsedJson.user_id]}"
        "operation" => "%{[parsedJson][operation]}"
        "data"=> "%{[parsedJson][operation]}"
       }
     }
}
output {
    elasticsearch {
       hosts => [ "localhost:9200" ]
    }
}

basically I have tried many permutations to fetch the value but in elasticsearch data is like the image below. I am not able to fetch data from JSON and assign to a new value. please help.

Original Q&A

There are 1 answers

**Kulasangar** · Answer 1 · 2017-01-02 16:09:43

What if you try including the add_field within your json filter and make mydata as your source in json. Also please make sure that you don't separate the add_field value with the . dot:

json {
     source => "mydata"
     target => "parsedJson"
     add_field => {
      "user_id" => "%{[parsedJson][user_id]}}"
      "operation" => "%{[parsedJson][operation]}}"
      "data" => "%{[parsedJson][data]}}"
     }
     remove_field=>["mydata"] <-- you can ignore this if you really don't want to remove
}

Hope it helps!

TechQA.

add_field logstash after converting value to Json

There are 1 answers

Related Questions in ELASTICSEARCH

Related Questions in LOGSTASH

Related Questions in LOGSTASH-GROK

Related Questions in LOGSTASH-CONFIGURATION

Related Questions in FILEBEAT

Popular Questions

Popular Tags

Trending Questions