loggingsumologic

Is it possible to parse nested json in sumologic?


So I have a log in this format:

{
    "date":1598808279.785381,
    "log":"{\"level\":\"info\",\"ts\":15988.7852,\"caller\":\"server/middlewares.go:26\",\"msg\":\"Request Log\",\"status\":200,\"method\":\"GET\",\"url\":\"/health\",\"duration\":0.000008323}",
    "container_id":"someid",
    "container_name":"/service-name",
    "source":"stdout"
}

I would like to extract out the status within the log field. After reading the docs it looks like I should be able to do:

_collector="MyService" | json auto | fields log.status

However, that throws a syntax error for .

Another solution I thought is that based upon how other languages work, piping usually returns the object so if I could incrementally return fields this should work:

_collector="MyService" | json auto | fields (log) | fields (status)

But that also doesn't work.

I've tried specifying a given field this this:

_collector="MyService" | json auto "fields.log.status"

But that doesn't work.

I've also tried directly pulling that value using field like this:

_collector="MyService" | json field=Message "log.status"

Finally, I tried doing all of these variations:

_collector="MyService" | json auto field=log "status"

_collector="MyService" | json auto field=log | fields status

_collector="MyService" | json auto field=log "status"

_collector="MyService" | json auto field=log "log.status"

But to no avail.

Any ideas where I'm going wrong?


Solution

  • logs is escaped json as string, so you will need to json parse twice.

    | json "log"
    | json auto field=log
    | fields status