JSON formatting for VMWare Log Insight

Be sure your target object is actually JSON. If it's text (represented by an 'a' in the preview pane), you'll want to parse it into JSON before it hits the destination. Eval function, with _raw => JSON.parse(_raw) would work.

Note the curly braces next to raw here, indicating a JSON object:

Hi @BargiBargi,

Here's how I would build a pipeline to format the messages. Here's an example I'll show with some fields already extracted. We want to move _raw to the text field, _time to timestamp, and then all remaining fields to fields.

Let's start with a basic Eval function to build the general structure of an individual message:

(the expression is {"text": _raw, "timestamp": _time, "fields": []})

Now we can use the code function to do some magic… We want to take all fields (using the special variable __e) that do not start with an underscore (internal or otherwise not already used) and move their KV pairs to fields.

__e['_raw']['fields'] = Object.entries(__e).filter(([key, value]) => !key.startsWith('_')).map(([key, value]) => {  return {"name": key, "content": value}})

We use the Object.entries function to create a KV array to work with in the filter and map functions. In the map function, the return value reformats the original KV pair into the expected name and content fields.

Finally, we can use the Aggregations function to combine events into a single array.

The list(_raw) function will generate a new array of individual messages aggregated together. The evaluate fields expression moves the array into the expected messages object key.

Which gives an output that looks like the following:

Now in the Webhook destination, configure as follows to only emit the _raw field as the payload to the Log Insight collector. Note the URL is static for the destination, but it can be customized per-event by setting the __url field.

Let me know if this solves your issue!

Amazing!
Thanks so much for the help.

I've worked through it and I can see it builds the JSON object up as expected.
But when it's sending to the LI API it's it's erroring bellow.

{"errorMessage":"Invalid request body.","errorCode":"JSON_FORMAT_ERROR","errorDetails":{"reason":"Unrecognized token ‘object': was expecting (JSON String, Number, Array, Object or token ‘null', ‘true' or ‘false')\n at [Source: (String)"[object Object]\n[object Object]\n[object Obj…"[truncated 3915 chars]; line: 1, column: 8]"}}

Pipeline looks fine (only thing maybe a bit strange is the content is listed before name, but assume that's just Cribl sorting alphabetically)

I changed the code to filter on anything starting with NSXT as all the fields I need start with that.

Tried with the Aggregations and just as Eval and same

Live Data for the Webhook destination again looks fine

@BargiBargi could you try adding an eval function to the end of your pipeline that turns _raw into JSON.stringify(_raw)?

@bdalpe
Using JSON.stringify(_raw) I can see events come through when using Aggregations step, which is good, but now I barely see 1 event a second coming through when there's much more than that coming in.

I thought it might have been to do with the Aggregation so replaced it with the following Eval and it works, but again only at a very low rate

There's no dropped events in the Cribl Webhook which is strange. So not quite sure wha'ts going on. Does the JSON.stringify have a rate limit to what it can process?

Hi,

Been trying to sort this on and off and can't figure out what the issue is.
Without the JSON.stringify(_raw) Cribl outputs [object Object], which can be seen in the last-failed-buffer.raw

With JSON.stringify(_raw) it works, but it's literly 1 message every 2 seconds

Any advice would be much appreciated!