Hi All,
We do have JSON data in the form
{
"data": [
{
"appName": "DemoApp",
"appVersion": "1.1",
"deviceId": "1234567",
"deviceName": "moto e",
"deviceOSVersion": "5.1",
"packageName": "com.abc.DemoApp",
"message": "testing null pointer exception",
"errorLog": "null pointer exception"
},
{
"appName": "DemoApp",
"appVersion": "1.1",
"deviceId": "1234567",
"deviceName": "moto e",
"deviceOSVersion": "5.1",
"packageName": "com.abc.DemoApp",
"message": "testing illegal state exception",
"errorLog": "illegal state exception"
}
]
}
We want to split data into separate messages and different fields like
appName, appVersion etc.
My queries:
i) We use Split filter to split it into different fields and we are getting
"data_appName" as field name instead of "appName"! how to change this field
to "appName" etc without data_ prefix
ii) Message field contains both data not single data. how to split message
field?
filter in config file:
filter{
json {
source => "message"
}
mutate { gsub => [ "message", "},", "shr" ] }
split {
terminator => "shr"
field => "data"
}
Please guide for both queries.
Regards,
Shrawan
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/67bb32e3-b00e-44c1-9408-58e7276e0531%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
