VerosK · May 28, 2015 11:19
diff --git a/parse-json.logstash.conf b/parse-json.logstash.conf
 filter {
  # if it looks like json, tag it
  if [type] == 'syslog' and [message] =~ '{.*}' {
        json {
          source => 'message'
          target => 'json_data'
          add_tag => ['has_json']
        }
  }

  if "has_json" in [tags] {
      mutate {
         rename => [
                "[json_data][Message]", "message",
                "[json_data][message]", "message"
        ]
      }
      mutate { # save @message to @message.raw (if needed)
        rename => ['@message', '@message.raw']
      }
      mutate {  # save message to @message (if needed)
        add_field => ['@message', '%{message}']
      }
      grok { # if message contains date, drop the date
        match => [ "message", "\[%{MONTHDAY}/%{MONTH}/%{YEAR} %{TIME}] +%{GREEDYDATA:message}" ]
        overwrite => ['message']
      }
  }
 }
	filter {
	# if it looks like json, tag it
	if [type] == 'syslog' and [message] =~ '{.*}' {
	json {
	source => 'message'
	target => 'json_data'
	add_tag => ['has_json']
	}
	}

	if "has_json" in [tags] {
	mutate {
	rename => [
	"[json_data][Message]", "message",
	"[json_data][message]", "message"
	]
	}
	mutate { # save @message to @message.raw (if needed)
	rename => ['@message', '@message.raw']
	}
	mutate { # save message to @message (if needed)
	add_field => ['@message', '%{message}']
	}
	grok { # if message contains date, drop the date
	match => [ "message", "\[%{MONTHDAY}/%{MONTH}/%{YEAR} %{TIME}] +%{GREEDYDATA:message}" ]
	overwrite => ['message']
	}
	}
	}