Hi,
I have JSON data being indexed from a syslog file i.e
Nov 2 23:04:47 host1 /usr/local/bin/audit.rb[24503]: { "@fields" : { "action" : "check", "agent" : "server", "caller" : "user", "callerhost" : "system", "data" : "{:process_results=>true}", "request_time" : 1351746758, "uniqid" : "73670e799fbf576b9225278cc46709c0" }, "@message" : "message", "@source" : "audit", "@source_host" : "host", "@tags" : [ ], "@timestamp" : "2012-11-01T05:12:38.169418Z", "@type" : "audit" }
The problem is I cannot use spath to extract fields, i.e
| spath output=action path=@fields.action
If I remove the syslog section and only index the JSON data then it works without problems, i.e if the data is just.
{ "@fields" : { "action" : "check", "agent" : "server", "caller" : "user", "callerhost" : "system", "data" : "{:process_results=>true}", "request_time" : 1351746758, "uniqid" : "73670e799fbf576b9225278cc46709c0" }, "@message" : "message", "@source" : "audit", "@source_host" : "host", "@tags" : [ ], "@timestamp" : "2012-11-01T05:12:38.169418Z", "@type" : "audit" }
Is this normal behaviour, is there a way around it whilst still being able to use the spath function?
Thanks.
this is normal. spath operates on either XML or JSON, and with the extra info, your data is not JSON. You can simply use eval prior to using spath to strip out the syslog info prior to piping to spath.
this is normal. spath operates on either XML or JSON, and with the extra info, your data is not JSON. You can simply use eval prior to using spath to strip out the syslog info prior to piping to spath.