I have an application which is sending realtime data to Graylog as JSON. I’m using a plaintext UDP input for this, and attempting to then use the JSON extractor to convert the data back into fields. However the extractor is saying that nothing was extracted.
Looking at the input data, I can see that ‘message’ contains
[
{
“EventDateTime”: “2020-08-20T15:31:12”,
“OperationDescription”: “Door opened (switch)”,
“IsExit”: false,
“UserName”: “”,
“UserGPF1”: “”,
“DoorName”: “MainGate”
}
]
i.e., the JSON data contained in square brackets for an array, which the extractor doesn’t seem able to extract from. Is there any way to work around this? The application is a binary, so no way to edit the output at that side. I looked back at my old logstash system and I did nothing special to access the data there, just used the json codec on the input and got the data out in fields.
Hi Andrew,
I’ve mostly left it on the defaults as they ought to be correct. i.e., list separator=’,’; key separator=’_’. There aren’t any key/value pairs.
I have tried flatten on or off, I have tried changing both of those settings (and the key/value ones) to other values, have tried setting a field prefix. Every time the extractor preview just says ‘nothing will be extracted’.
Create second json extractor as usual, and put it after first one. Click System - Inputs - raw input - Manage Extractors - click on Sort extractor, and move fist extractor before json extractor.
Many thanks for that. will stick with extractors for now until I do more with pipelines!
Ended up modifying the regex to \[\s*(\{.*\})\s*\] as the data also contained carriage returns and spaces to indent (which didn’t show up when I copied&pasted to the original message).