How to use logstash to grok the message which is a hash

Question

All

I'm using logstash to ship logs from the remote server. The message i got is a hash type like this:

[2014-12-06 23:59:57] 112.254.70.37 <AUDIO> {"type":"Stat", "eid":4800316, "mid":"87192133091532", "ccid":3228662, "ver":102, "ip":"114.113.200.227", "port":9081, "jitter":"0 0 0 0 0 ", "break":"0 0 0 0 0 ", "interrupt":"0 0 0 0 0 ", "tcp_rtt":"40 40 45 50 50 ", "udp_rtt":"31 33 35 40 35 ", "all_pkts":"107180 107193 107249 107323 107358 ", "lost":"0 0 0 0 0 ", "delay":"40.78", "pull":"3 3 3 3 3 "}

Then how can I write the grok part, I search the doc everywhere, but i still don't konw how... thx!

Answer 1

First, you have to parse out your json data by grok filter. Then, use json filter to parse all the hashmap value. With this config I can parse your log and create all the field:value. Hope this can help you.

input {
    stdin{
    }
}

filter {
    grok {
    match => [ "message" , "\[%{TIMESTAMP_ISO8601:datatime}\] %{IP:ip} <%{WORD:level}> %{GREEDYDATA:data}"]
    }
    json {
            source => "data"
    }
}

output {
    stdout{
            codec => rubydebug
    }
}