1: Use a pipeline with “parse_json” function to parse json to a json tree, then use a select_jsonpath on the json tree to extract all fields.
2: Unfortunately it seems you can’t use spaces in field names with select_jsonpath, the only option I can think of is that you modify the application that outputs the logs to not use spaces in field names.
ok for the pipeline but how i can say to json input plugin to grab all the message and not only a piece?
this path work with curl $.[0] but not in json api from http
in graylog i got message
2018-12-12T10:53:21.272+01:00 WARN [Messages] Failed to index message: index=<graylog_2> id= error=<{“type”:“mapper_parsing_exception”,“reason”:“failed to parse field [result] of type [float]”,“caused_by”:{“type”:“number_format_exception”,“reason”:“For input string: “{ID=250614206867013737, LoginID=8111595009036118294, Date=12/12/2018 08:07:21,
User=zzz, OperationLog=Encrypted file ‘test.PNG’, OperationType=63, Parameters={IP Address=, Browser Type=, Device ID=, API Key=, Local File=zzz.PNG, Device Type=WebClient}}””}}>
in the 3.0 release the set_fields function can work with a complete json tree - so you are able to just parse_json followed with a set_fields to write all found key-value pairs into the message.
But that is not given in the current stable version - so you have (currently) no option.
