Hi, your problem is with \ in fields account and process_name. It’s not valid json without escape backslash \\ in your message. Every backslash should be escaped 2 times to work in graylog, so json extractor can extract it.
If you can’t update incoming message, you can use one of this pipeline rules, to fix it:
First pipeline rule fixes backlash and extract all json fields
rule "extract-json-syslog1"
when
starts_with(to_string($message.message), "{") && ends_with(to_string($message.message), "}")
then
let fix_backslash = replace(to_string($message.message), "\\", "\\\\");
let json = parse_json(to_string(fix_backslash));
let map = to_map(json);
set_fields(map);
//set_fields(map, "prefix_"); // use if you want to prefix fields with prefix_ (uncomment this and comment previous line)
end
Second pipeline rule fixes backslash and extract only selected fields from json (json path):
rule "extract-json-syslog2"
when
starts_with(to_string($message.message), "{") && ends_with(to_string($message.message), "}")
then
let fix_backslash = replace(to_string($message.message), "\\", "\\\\");
let json = parse_json(to_string(fix_backslash));
let json_fields = select_jsonpath(json, { ipv4: "$.ipv4", hostname: "$.hostname", account: "$.account"});
set_fields(json_fields);
end
Alternatively you could use key_value() for the message:(I have an unnatural fear of json) The json would be better if you wanted to pick/rename specific fields though… and since @shoothub posted working json code, I fear it a little less.
rule "extract-syslog-kv"
when
starts_with(to_string($message.message), "{") && ends_with(to_string($message.message), "}")
then
let mess = substring(to_string($message.message),1,-1); // removes brackets
let keysv = key_value(mess,",",":",true,true,"take_last","\"","\""); // removes quotes
set_fields(keysv);
end