Extract fields from a json substring - logstash

0
votes

I'm fairly new to Logstash filtering stuff. I've below json string

{
    "changed": false, 
    "msg": "Foo Facts: oma_phase: prd, oma_app: fsd, oma_apptype: obe, oma_componenttype: oltp, oma_componentname: -, oma_peak: pk99, oma_phaselevel: prd"
}

I would like to extract the fields oma_phase, oma_app, oma_apptype, oma_componenttype, oma_componentname, oma_peak & oma_phaselevel.

I've tried below native json filter, 

filter {
  if [type] == "ansible" {
    json {
      source => "ansible_result"
    }
  }
}

Here ansible_result is the key holding the above json value. However, there are many keys having different values but with the same ansible_result key. This is creating lot of index keys and I don't want that.

I would like to have some sort of filter which can match the substring Foo Facts and there after extracting the oma_* fields.

I somehow couldn't managed to do with grok filter to match the substring. It would be really great if you could help me with this.

Many thanks in advance..

2
logstashelastic-stacklogstash-grok

2 Answers

1
votes

Please try the following code:

filter {
    json {
    source => "message"
    }
   }

the ansible_result json will be considered as a message.

0
votes

It was little difficult in the beginning but eventually managed to crack the grok.

\"msg\": \"Foo Facts: oma_phase: %{DATA:oma_phase}, oma_app: %{DATA:oma_app}, oma_apptype: %{DATA:oma_apptype},( oma_componenttype: %{DATA:oma_componenenttype},)? oma_componentname: %{DATA:oma_componenentname}, oma_peak: %{DATA:oma_peak}, oma_phaselevel: %{DATA:oma_phaselevel}\"

From the logs, I got to know oma_componenttype is missing for some logs. So I marked it as an optional field with ()?

It wouldn't have been possible without the help of below online parsers.

  1. grokdebug
  2. Grok Constructor