Hi,
I have JSON data being indexed from a syslog file i.e
Nov 2 23:04:47 host1 /usr/local/bin/audit.rb[24503]: { "@fields" : { "action" : "check", "agent" : "server", "caller" : "user", "callerhost" : "system", "data" : "{:process_results=>true}", "request_time" : 1351746758, "uniqid" : "73670e799fbf576b9225278cc46709c0" }, "@message" : "message", "@source" : "audit", "@source_host" : "host", "@tags" : [ ], "@timestamp" : "2012-11-01T05:12:38.169418Z", "@type" : "audit" }
The problem is I cannot use spath to extract fields, i.e
| spath output=action path=@fields.action
If I remove the syslog section and only index the JSON data then it works without problems, i.e if the data is just.
{ "@fields" : { "action" : "check", "agent" : "server", "caller" : "user", "callerhost" : "system", "data" : "{:process_results=>true}", "request_time" : 1351746758, "uniqid" : "73670e799fbf576b9225278cc46709c0" }, "@message" : "message", "@source" : "audit", "@source_host" : "host", "@tags" : [ ], "@timestamp" : "2012-11-01T05:12:38.169418Z", "@type" : "audit" }
Is this normal behaviour, is there a way around it whilst still being able to use the spath function?
Thanks.
... View more