JSON fields not extracted properly

Hi there, I have an issue with JSON fields not extracted properly.

First of all I have an JSON Extractor on my input that extracts the message field, this will result in a new MESSAGE field, with the following contents:

{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"e03a5c76-2122-4c1d-8265-be6e9cdc5e11","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/ingress-nginx/configmaps/ingress-controller-leader-nginx","verb":"update","user":{"username":"system:serviceaccount:ingress-nginx:ingress-nginx","uid":"42491580-cda5-4856-9f1b-ae133faadba7","groups":["system:serviceaccounts","system:serviceaccounts:ingress-nginx","system:authenticated"]},"sourceIPs":["10.81.100.2"],"userAgent":"nginx-ingress-controller/v0.40.2 (linux/amd64) ingress-nginx/fc4ccc5eb0e41be2436a978b01477fc354f31643","objectRef":{"resource":"configmaps","namespace":"ingress-nginx","name":"ingress-controller-leader-nginx","uid":"7bd1f348-9586-45ea-b41c-897c8ba83985","apiVersion":"v1","resourceVersion":"178373"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2020-11-04T09:21:18.756400Z","stageTimestamp":"2020-11-04T09:21:18.759305Z","annotations":{"authentication.k8s.io/legacy-token":"system:serviceaccount:ingress-nginx:ingress-nginx","authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by RoleBinding \"ingress-nginx/ingress-nginx\" of Role \"ingress-nginx\" to ServiceAccount \"ingress-nginx/ingress-nginx\""}}

All fields are then extracted with another JSON Extractor on the MESSAGE field. But then the issue is that the JSON path annotations is not extracted into fields. Is there any way to accomplish this?

Thanks!

he @christiaan

nested JSON is never easy to work with. You might want to work with the processing pipeline and what is the result of the extractor that has worked on the above mail.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.