I have a log record that is a CEF record with a couple of fields that are JSON. Is there an example of how I would extract the fields from the JSON record when most of the record is CEF?
Hi @kleewyck ,
maybe this will help 
I have some logs from a demo app that look like this
2021-12-13T14:26:59.370Z INFO frontend/best_eta.go:106 Dispatch successful {"service": "frontend", "trace_id": "62c43baab1d3ba01", "span_id": "62c43baab1d3ba01", "driver": "T729032C", "eta": "2m0s"}
I can get to the JSON object at the end with this query
{container="hotrod"} | pattern "<time>\t<level>\t<component>\t<status>\t<json_log>\n" | line_format "{{.json_log}}"
I first split the log message using \t as the separator. Then I can take the json_log filed and apply line_format to it. Not sure if this is the beat way to do it but it seems to work…
Thank you very much. This might work in my case!
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.