Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save holybit/fe3ef49fa472a20267e6 to your computer and use it in GitHub Desktop.
Save holybit/fe3ef49fa472a20267e6 to your computer and use it in GitHub Desktop.
how to get logstash to output key=value pairs from JSON? For example, from below JSON
{"@timestamp":"2015-02-05T12:52:21-0700","@version":"1","tags":["apache","access"],"docker":{"container_id":"CONTAINER_ID","host":"HOST"},"product":"PRODUCT","container_id":"1","bytes":"0","client_ip":"127.0.0.1","client_port":"53053","duration_micros":"219","http_method":"OPTIONS","keepalive":"-","method":"OPTIONS","pid":"117","protocol":"HTTP/1.0","referer":"-","request":"*","response_code":"200","response_size":"-","server_ip":"127.0.0.1","service_port":"80","session_id":"-","site":"-","status":"200","url_path":"*","url_query":"","user":"-","user-agent":"Apache/2.4.6 (CentOS) PHP/5.4.16 (internal dummy connection)","poma_user_id":"-","vhost":"-","X-Forwarded-For":"-"}
input {
file {
codec => "json"
path => "/tmp/log/apache-access_jsonlog-postmaster.dev.returnpath.net.log"
}
}
filter{
json{
source => "message"
add_field => {
"foo" => "bar"
"KITTEH" => "DOGGEH"
}
}
}
output {
stdout {
codec => rubydebug
}
}
{
"@timestamp" => "2015-02-05T13:57:03.000-07:00",
"@version" => "1",
"tags" => [
[0] "apache",
[1] "access"
],
"docker" => {
"container_id" => "CONTAINER_ID",
"host" => "HOST"
},
"product" => "PRODUCT",
"container_id" => "1",
"bytes" => "0",
"client_ip" => "127.0.0.1",
"client_port" => "53179",
"duration_micros" => "203",
"http_method" => "OPTIONS",
"keepalive" => "-",
"method" => "OPTIONS",
"pid" => "134",
"protocol" => "HTTP/1.0",
"referer" => "-",
"request" => "*",
"response_code" => "200",
"response_size" => "-",
"server_ip" => "127.0.0.1",
"service_port" => "80",
"session_id" => "-",
"site" => "-",
"status" => "200",
"url_path" => "*",
"url_query" => "",
"user" => "-",
"user-agent" => "Apache/2.4.6 (CentOS) PHP/5.4.16 (internal dummy connection)",
"poma_user_id" => "-",
"vhost" => "-",
"X-Forwarded-For" => "-",
"host" => "jcrotty.dev.returnpath.net",
"path" => "/tmp/log/apache-access_jsonlog-postmaster.dev.returnpath.net.log"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment