Data output from json by fields

Good afternoon!

I’m new to creating scripts and I don’t quite understand, I read the documentation and I didn’t understand anything: (could you tell me how I can extract data from the field, this log comes with json
result
{orgName = data, cnts = [{“cnt”: value, “state”: “data”}, {“cnt”: value, “state”: “data”}], orgBinIin = value}
I need to display data and values ​​in separate fields
I will be grateful for any help

hi @anzor ,
please be more verbose, what you want to archive?

  1. What graylog version do you use?
  2. You post you want to create script. Do you mean you want to parse json output from text file in some cli script? Or you want to parse json data in graylog using extractor or pipeline rule?
  3. Which exact data and values you want to extract, it’s not obvious, there are a lot of value and data in your json example.

hi! @shoothub
1.I am using graylog 4.1 version

2.Yes, I want to parse json data in graylog using extractor or pipeline by outputting to new fields

  1. I want to output (orgName = data), (“cnt”: value), (“state”: “data”) into new fields that will be named
  1. Service_name
  2. Service_value
  3. Service_status

First of all, your example data is not all jsons. Only cnts is json.

Json has a basic syntax for fields "key": "value", so orgName = data, cnts = and orgBinIin = value don’t use json syntax. Only json syntax is at cnts = especially [{"cnt": "value", "state": "data"}, {"cnt": "value", “state”: "data"}], which is type array. It’s not obvious how you want to extract from this array, only first index, or how?

So there more solution in our case:

  1. Use key value extractor or pipeline rule to parse to 3 fields: orgName, cnts, orgBinIin
  2. Rename fields orgName, orgBinIin to Service_name, Service_status
  3. Parse cnts field using as json usign json extractor or pipeline rule

If message have fixed syntax you can also use GROK or regex extractror or pipeline rule.

1 Like

I figured out, I renamed the fields and output the values, I have a task to collect all the values ​​and data from the “cnt” and “state” fields, how can this be done in grok patterns?
cnt and state fields contain different data

Please post real example (anonymized), so we can help exactly for your case. Did you extract json part to separate field?. Is there a fix number of cnt and state fields, or multiple?

result

{orgName=Система MailKZ, cnts=[{“cnt”:15,“state”:“PAID”},{“cnt”:64,“state”:“ERROR_PAYMENT”}], orgBinIin=111111111111}
This is an example of a log that comes, I split it by fields, but it takes data only for the first values, I need it to take all the value and data from the fields in an unlimited amount the statuses and values ​​of cnt and state will be different.


it is not possible to transfer to state and cnt all the values ​​and data that the log sends

It’s not obvious, how you want to store multiple cnt and state values in fields. In separate fields? E.g. in field state with concatenated values or how?
cnt = 15, 64
state = PAID, ERROR_PAYMENT

In separate fields I will give a name for each field, I will need to display this on the grafana dashboard

You mean, like this?:

state1 = PAID
cnt1 = 15

state2 = ERROR_PAYMENT
cnt2 = 64

Yes, everything is correct, I will change the field names to the appropriate status

Not very optimized, but it should work:

cnts=\[\{"cnt":%{NONNEGINT:cnt1},"state":%{QUOTEDSTRING:state1}\}(?:,\{"cnt":%{NONNEGINT:cnt2},"state":%{QUOTEDSTRING:state2}\})?(?:,\{"cnt":%{NONNEGINT:cnt3},"state":%{QUOTEDSTRING:state3}\})?\]

Example for 3 statuses, if need more copy more times.

Everything works great thanks and apologize for my stupidity

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.