Skip to content

Instantly share code, notes, and snippets.

@jclosure

jclosure/logstash.conf

Created January 25, 2022 05:00
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save jclosure/20353a9ebd94e59c9cad3fabdf594f9b to your computer and use it in GitHub Desktop.
Save jclosure/20353a9ebd94e59c9cad3fabdf594f9b to your computer and use it in GitHub Desktop.
Download ZIP
Logstash parsing json string fields, merging, and replacing event
Raw
logstash.conf
# test as follows:
# 1. start logstash:
# logstash -f ~/logstash.conf --config.reload.automatic
# 2. send it data:
# echo '{"container": "/spiff", "bleh": "blah"}' | nc localhost 6060
input {
tcp {
port => 6060
}
}
filter {
# merge json fields to top-level event
if [message] {
if [message] =~ "\A\{.+\}\z" {
ruby {
code => '
msgObj = JSON.parse(event.get("message"))
msgObj.each { |k,v|
event.set("#{k}", v)
}
event.remove("message")
'
}
}
}
# # convert a field "message" to json and replace it
# if [message] {
# if [message] =~ "\A\{.+\}\z" {
# ruby {
# code => '
# msgObj = JSON.parse(event.get("message"))
# event.set("message", msgObj)
# '
# }
# }
# }
}
output {
stdout {
# codec => rubydebug
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment