how to apply if condition on fields of json contained in a log

Question

I have a log which contains json, i want to apply if condition on one of the fields of json. log format:

[2018-03-22T16:47:31.113] INFO {"code":200,"type": "everything looks good", "text":"Starting server at port => 5003"}  {../../app.py:14:8}

I am trying to apply condition based on the code, that is if code is 200 then it should add a field "status" => "success".

filter {
  grok {
    match => { "message" => "\[(?<timestamf>%{TIMESTAMP_ISO8601})\] %{LOGLEVEL:loglevel} %{GREEDYDATA:json}  %{GREEDYDATA:file}" }
  }
  date {
    match => [ "timestamf", "ISO8601" ]
    target => "timestamf"
  }     
  if [json][code] == 200 {
    mutate { 
      add_field => { 
        "Status" => "Success" 
      }
    }
  }

But its not working.

Sufiyan Ghori · Answer 1 · 2018-05-09T04:42:02.793

First off, code is not a separate field in your grok pattern, its just a plain-text data under json field which is under message field because you use GREEDYDATA.

You need to create a separate field for code to use it in conditional statement.

After %{LOGLEVEL:loglevel} in your grok pattern you can add the following {"code":%{INT:code} right before %{GREEDYDATA:json} so it should read,

 %{LOGLEVEL:loglevel} {"code":%{INT:code}%{GREEDYDATA:json}

From Logstash Field Reference documentation,

The syntax to access a field is [fieldname]. If you are referring to a top-level field, you can omit the [] and simply use fieldname. To refer to a nested field, you specify the full path to that field: [top-level field][nested field].

your rest of the condition block is almost correct, but since [message] is your top-level field and [code] is its nested field now, you can access it like,

if [message][code] == 200 {
    mutate { 
      add_field => { 
        "Status" => "Success" 
   }
}

how to apply if condition on fields of json contained in a log

1 Answers1