{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Deceive 欺骗 的问题《Decompose Logstash json message into fields》','https://www.manongdao.com/q-468677.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
It have a logfile that stores event with a timestamp and a json message. For example:
timestamp {"foo": 12, "bar": 13}
I would like to decompose the keys (foo and bar) in the json part into fields in the Logstash output.
I'm aware that I can set the format field in the Logstash file filter to json_event but in that case I have to include the timestamp in json. There is also a json filter, but that adds a single field with the complete json data structure, instead of using the keys.
Any ideas how this can be done?
I've done this with the following config:
By the way, this is a config for the new version 1.2.0.
In version 1.1.13 you need to include a target on the json filter and the reference for message in the grok filter is @message.
Try the latest logstash 1.2.1 and use codec value to parse json events directly.
You can just use plain Grok filters (regex style filters/patterns) and assign the matched value into a variable for easy organization, filtering and searching.
An example:
Something along those lines.
Use the GrokDebugger to help out if you get stuck on the syntax, patterns and things you think should be matching but aren't.
Hope that helps a bit.
your JSON is wrong
{"foo": 12, "bar" 13}should be:
{"foo": 12, "bar": 13}