Hello
I have some logs that have nested JSON. If I add INDEXED_EXTRACTIONS = JSON the non-JSON data does not appear but the JSON is expandable and extracted.
Heres a sample of the log
2017-10-31 18:27:07,444 priority=INFO app=apps thread=[stuff-2.0.177-v11111111].HttpsListenerConfig.worker.12 location=MessageProcessor line=151 _message="Message flow..." {appName=[stuff-2.0.177-v11111111, orderValue=10.00, field=1506373, retryCnt=0, field=12fdfg-123dsdf-213423vdc-dfg43, id=123456, field=123456789, field=2, field=220838349} responsePayload='{
"field": 220838349,
"field": 1292975431,
"field": "1506373",
"endTime": "2017-10-31T18:42:05.456Z",
"field": true,
"field": [
{
"field": -1,
"field": "",
"field": "31",
"field": "27",
"field": "16",
"field": {
"amount": 37.4,
"currency": "USD"
},
"field": "HOLD"
},
{
"field": -1,
"field": "",
"field": "31",
"field": "27",
"field": "17",
"field": {
"amount": 37.4,
"currency": "USD"
},
"field": "HOLD"
}
]
}' responseHttpStatus=200 timeTakenInMillis=2003
Any ideas how I can extract, at index time, the JSON portion while also keeping the rest? My current props are
[sourcetype]
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%f
TRUNCATE = 100000
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = true
Maybe something I can do with transforms??
Thanks!!
↧