Decompose Logstash json message into fields

Question

It have a logfile that stores event with a timestamp and a json message. For example:

timestamp {\"foo\": 12, \"bar\": 13}

I would l

Answer 1

I've done this with the following config:

filter {
  grok {
    match => ["message", "\[%{WORD}:%{LOGLEVEL}\] %{TIMESTAMP_ISO8601:tstamp} :: %{GREEDYDATA:msg}"]
  }
  date {
    match => [ "tstamp", "yyyy-MM-dd HH:mm:ss" ]
  }
  json {
    source => "msg"
  }
}

By the way, this is a config for the new version 1.2.0.

In version 1.1.13 you need to include a target on the json filter and the reference for message in the grok filter is @message.