How to extract Json field

jzhengcimpress · February 26, 2019, 2:41am

Hi,

We are using HTTP GELF post a nested json log as below, and try to extract it field on behalf of querying nested json log, but customized fields can not be displayed and used, when I am testing it, it looks good though. Are there any steps I missed?

json body.

{ “short_message”: “jerry test”, “data”:{“level”: “ERROR”, “details”: {“message”: “This is an example error message”, “controller”: “IndexController”, “tags”: [“one”, “two”, “three”]}},“level”:“1” }

Thanks,
-Jerry.

benvanstaveren · February 27, 2019, 9:27am

You will have to add a JSON extractor on the “data” field to extract the JSON in there. Alternatively, you can do the same with a pipeline rule like this:

rule "extract json from data field"
when
  has_field("data")
then
  set_fields(to_map(parse_json(to_string($message.data))));
end

jzhengcimpress · February 28, 2019, 5:00am

Thank you @benvanstaveren, my issue is fixed now. I finally find some datatype issues of my json body after outputting debug information.

Regard,
-Jerry.

Topic		Replies	Views
Unable to extract nested json from pipeline Graylog Central (peer support)	0	581	April 27, 2020
JSON extractor not working Graylog Central (peer support) pipeline-rules	9	6253	August 8, 2020
JSON fields not extracted properly Graylog Central (peer support)	1	462	November 5, 2020
Not able to extract fields from nested json Graylog Central (peer support)	3	162	June 30, 2024
JSON extractor not working? Graylog Central (peer support)	4	4889	September 10, 2018

How to extract Json field

Related topics