Datadog Grok parser can not parse json

108 Views Asked by Meo Beo At 09 December 2023 at 09:26

I'm writing Grok parsing rules to extract attributes from logs, but I don't know why Grok can not extract json in some cases.

Here is the sample log:

[32minfo: {"status":"200 OK","time":"731.909 ms","size":"847 B","method":"POST","url":"/graphql"} {"context":"Response","service":"my-service","timestamp":"2023-12-09T09:06:43+00:00"}[39m

The parsing rules:

api_parsing_rule \[%{integer}m%{notSpace:level}: (%{regex("[^{]*"):message}|%{data:data:json}) %{data:meta:json}

Extraction:

{
  "level": "info"
}

When I delete status, time, size fields from the json, it works: New sample log:

[32minfo: {"method":"POST","url":"/graphql"} {"context":"Response","service":"my-service","timestamp":"2023-12-09T09:06:43+00:00"}[39m

New extraction:

{
  "data": {
    "method": "POST",
    "url": "/graphql"
  },
  "level": "info",
  "meta": {
    "service": "my-service",
    "context": "Response",
    "timestamp": "2023-12-09T09:06:43+00:00"
  }
}

Do you know why? Thanks!

Original Q&A

Datadog Grok parser can not parse json

There are 0 best solutions below

Related Questions in DATADOG

Related Questions in GROK

Trending Questions

Popular # Hahtags

Popular Questions