So I have a log in this format:
{
"date":1598808279.785381,
"log":"{\"level\":\"info\",\"ts\":15988.7852,\"caller\":\"server/middlewares.go:26\",\"msg\":\"Request Log\",\"status\":200,\"method\":\"GET\",\"url\":\"/health\",\"duration\":0.000008323}",
"container_id":"someid",
"container_name":"/service-name",
"source":"stdout"
}
I would like to extract out the status within the log
field. After reading the docs it looks like I should be able to do:
_collector="MyService" | json auto | fields log.status
However, that throws a syntax error for .
Another solution I thought is that based upon how other languages work, piping usually returns the object so if I could incrementally return fields this should work:
_collector="MyService" | json auto | fields (log) | fields (status)
But that also doesn't work.
I've tried specifying a given field this this:
_collector="MyService" | json auto "fields.log.status"
But that doesn't work.
I've also tried directly pulling that value using field like this:
_collector="MyService" | json field=Message "log.status"
Finally, I tried doing all of these variations:
_collector="MyService" | json auto field=log "status"
_collector="MyService" | json auto field=log | fields status
_collector="MyService" | json auto field=log "status"
_collector="MyService" | json auto field=log "log.status"
But to no avail.
Any ideas where I'm going wrong?
logs is escaped json as string, so you will need to json parse twice.
| json "log"
| json auto field=log
| fields status