Well, first, don’t select “Flatten” - that just tries to stuff it all into a single field with a weird format; so uncheck that. Then there’s the issue that it may not want to work after all due to the JSON object also containing a field named “message”, and I’m not sure how that plays along with Graylog JSON extractor (especially in copy mode).
An alternative option is to do this in a pipeline, a bit more work but if you create a rule as follows:
rule "parse the json log entries"
when
true
then
let json_tree = parse_json(to_string($message.message));
let json_fields = select_jsonpath(json_tree, { time: "$.time", level: "$.level", message: "$.message", CorrelationID: "$.CorrelationID", SessionID: "$.SessionID", Component: "$.Component", ComponentVersion: "$.ComponentVersion", Action: " $.Action", Method: "$.Method", MemberID: "$.MemberID", TimeSpent: "$.TimeSpent" });
set_field("level", to_string(json_fields.level));
set_field("message", to_string(json_fields.message));
set_field("CorrelationID", to_string(json_fields.CorrelationID));
# etc. etc. etc.
set_field(timestamp, flex_parse_date(json_fields.time));
remove_field("time");
end
That will do the trick too - instead of setting each field individually you can also set_fields(json_fields) - but doing it individually means you can to the proper to_string/to_bool/to_long/to_double typecasting if it’s required. It will also grab the “time” field from your message, and will replace Graylog’s timestamp with the “proper” time of the event occuring since Graylog will not do that automatically for you.
(Also if you use a JSON extractor, you would still require a 2nd extractor to move the time field into the timestamp field)