How can i extract json from full_message

Hi,
I would like to parse a json which is in the full_message:

2020-02-21 07:40:26.725 INFO n/a [xxx] (default task-33) json-data:{“blocked-uri”:“https://server.adform.net/Serving/TrackPoint/?pm=200517&ADFPageName=xxx|techniker&ADFdivider=|&ord=395451026951&Set1=de-DE|de-DE|1920x1080|24&ADFtpmode=2&itm=eyJzbCI6IiIsImlkIjoiIiwiY250ciI6IiIsImJzeiI6MSwiYWdlIjoiIiwiZ2VuIjoiIiwiY3VyIjoiIn0&loc=httpsxxx",“document-uri”:“https://xxx”,“effective-directive”:“script-src-elem”,“referrer”:"",“status-code”:“0”,“violated-directive”:"script-src-elem”}

This is my roule to extract the json and map it into the fields which are in the json object:

rule “routeToStream Web TKde CSP TEST”
when
has_field(“tk_staging”) && contains(to_string($message.tk_staging), “wt03”) &&
has_field(“tk_message_type”) && contains(to_string($message.tk_message_type), “lf_csp_tkde”)
then
let json = parse_json(to_string($message.full_message));
let map = to_map(json);
set_fields(map);

route_to_stream(“Web TKde CSP TEST”);
end

The rule ist working and paste the message into the stream, but without to parse the json.

Any idea?

First you need to extract json {} from full message using regex and after that parse json:

then
    let extractjson = regex(pattern: "(\\{.*\\})", value: to_string($message.full_message));
    let json = parse_json(to_string(extractjson["0"]));
    let map = to_map(json);
    set_fields(map);
end

That’s what I needed.
Many Thanks
Markus

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.