I’m new to creating scripts and I don’t quite understand, I read the documentation and I didn’t understand anything: (could you tell me how I can extract data from the field, this log comes with json
result
{orgName = data, cnts = [{“cnt”: value, “state”: “data”}, {“cnt”: value, “state”: “data”}], orgBinIin = value}
I need to display data and values in separate fields
I will be grateful for any help
hi @anzor ,
please be more verbose, what you want to archive?
What graylog version do you use?
You post you want to create script. Do you mean you want to parse json output from text file in some cli script? Or you want to parse json data in graylog using extractor or pipeline rule?
Which exact data and values you want to extract, it’s not obvious, there are a lot of value and data in your json example.
First of all, your example data is not all jsons. Only cnts is json.
Json has a basic syntax for fields "key": "value", so orgName = data, cnts = and orgBinIin = value don’t use json syntax. Only json syntax is at cnts = especially [{"cnt": "value", "state": "data"}, {"cnt": "value", “state”: "data"}], which is type array. It’s not obvious how you want to extract from this array, only first index, or how?
So there more solution in our case:
Use key value extractor or pipeline rule to parse to 3 fields: orgName, cnts, orgBinIin
Rename fields orgName, orgBinIin to Service_name, Service_status
Parse cnts field using as json usign json extractor or pipeline rule
If message have fixed syntax you can also use GROK or regex extractror or pipeline rule.
I figured out, I renamed the fields and output the values, I have a task to collect all the values and data from the “cnt” and “state” fields, how can this be done in grok patterns?
cnt and state fields contain different data
Please post real example (anonymized), so we can help exactly for your case. Did you extract json part to separate field?. Is there a fix number of cnt and state fields, or multiple?
{orgName=Система MailKZ, cnts=[{“cnt”:15,“state”:“PAID”},{“cnt”:64,“state”:“ERROR_PAYMENT”}], orgBinIin=111111111111}
This is an example of a log that comes, I split it by fields, but it takes data only for the first values, I need it to take all the value and data from the fields in an unlimited amount the statuses and values of cnt and state will be different.
It’s not obvious, how you want to store multiple cnt and state values in fields. In separate fields? E.g. in field state with concatenated values or how?
cnt = 15, 64
state = PAID, ERROR_PAYMENT