Here is sample of log json string, message field is again a json string.
{
"service_id" => "sec-sip",
"@version" => "1",
"logplane" => "containerlogs",
"componentName" => "container",
"message" => "{"version":"1.0","timestamp":"2021-08-06T13:48:56.640+0000","severity":"info","service_id":"MANAGER@m.syslog","message":"santu testtttttttttttttttttttttt","extra_data":{"manager":{"log_plane":"alarmlogs","alarm_raise_time":"1628251669506","alarm_update_time":"1628257736581","source_type":"MANAGER","alarm_instance_id":"1","alarm_proposed_repair_action":"Informational alarm no action required.","alarm_handler_specific_problem":null,"specific_problem":"Business Logic Updated","event_type":"Processing",}}}",
"version" => "0.2.0",
"timestamp" => "2021-08-06T16:47:13.736Z"
}
I need to change logplane value on the basis of [extra_data][manager][logplane] == "alarmlogs"
Can you please help me, how we can extract this key from message field and apply the condition?
I want to achieve given below.
if [extra_data][manager][logplane] == "alarmlogs" {
mutate {
replace => {"[logplane]" => "informational"}
}
}
you have to convert string to a json object using json filter. In your case, do something similar
filter {
json {
source => "message"
target => "json_message"
}
if [json_message][extra_data][manager][logplane] == "alarmlogs" {
mutate {
replace => {"[logplane]" => "informational"}
}
}
}
Not sure you want to convert back this new json object