How to parse a json field?

Follow
Avatar
Peter Olds
We have a collector that sends JSON formatted logs to Sumo, but the thing that sends to the collector sends pseudo-keyvalue formatted logs. For example here is a sample event that's logged: ``` { "id":"1", "timestamp":1487702107728, "message":"time=\"2017-02-21T18:35:07Z\" level=info msg=\"status=\"200\" method=\"GET\" duration=\"349.302982ms\"ua=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36\"\" ", "requestID":"1", "logGroup":"ecs" } ``` Parsing the json is easy enough, but I'm trying to parse the events that happen in the "message" field like "status" or "level". Any ideas are appreciated. The query I have so far looks something like: _sourceCategory=mycategory | json auto nodrop | where logGroup = "ecs" | message | keyvalue infer "level" Which doesn't entirely work because keyvalue is wanting brackets around the values.
0

Comments

1 comment

Sort by Date Votes
  • Avatar
    Kenneth Ord

    I'm seeing something similar too. Extract a number of key/value pairs as JSON and then you can't then subparse it as JSON because the JSON formatting is lost, losing quote marks, etc. Did you solve it?

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post