Parse more from "JSON path from HTTP API"

(Andreaconsadoriw) #1

JSON path from HTTP API input works… but only for 1 filed at time.
JSON API poll result: $[0][‘LoginID’] -> {result=3119072626240781000}

if i want to extract all this datas what’s the correct way?
“ID”: 3119072626240781000,
“LoginID”: 3119072626240781000,
“Date”: “05/12/2018 08:41:34”,
“User”: “myuser”,
“OperationLog”: “login failed”,
“OperationType”: 4,
“Parameters”: {
“IP Address”: “”,
“Browser Type”: “curl/7.52.1”,
“Device Type”: “REST API”

because i need the correlantion between ip address and login failed.

i try to extract $.[0].Parameters.“IP Address” that works in curl but graylog not accept the ", so how i can fix it if i’ve spaces in the name?

(Ben van Staveren) #2

1: Use a pipeline with “parse_json” function to parse json to a json tree, then use a select_jsonpath on the json tree to extract all fields.

2: Unfortunately it seems you can’t use spaces in field names with select_jsonpath, the only option I can think of is that you modify the application that outputs the logs to not use spaces in field names.

(Andreaconsadoriw) #3

ok for the pipeline but how i can say to json input plugin to grab all the message and not only a piece?
this path work with curl $.[0] but not in json api from http

in graylog i got message
2018-12-12T10:53:21.272+01:00 WARN [Messages] Failed to index message: index=<graylog_2> id= error=<{“type”:“mapper_parsing_exception”,“reason”:“failed to parse field [result] of type [float]”,“caused_by”:{“type”:“number_format_exception”,“reason”:“For input string: “{ID=250614206867013737, LoginID=8111595009036118294, Date=12/12/2018 08:07:21,
User=zzz, OperationLog=Encrypted file ‘test.PNG’, OperationType=63, Parameters={IP Address=, Browser Type=, Device ID=, API Key=, Local File=zzz.PNG, Device Type=WebClient}}””}}>

(Jan Doberstein) #4

in the 3.0 release the set_fields function can work with a complete json tree - so you are able to just parse_json followed with a set_fields to write all found key-value pairs into the message.

But that is not given in the current stable version - so you have (currently) no option.

(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.