_jsonparsefailure - What is the problem?

Elastic Stack Logstash
1

My input looks like that:

10.108.2.44 "73.91.231.150, 10.10.10.165" - - [26/Jul/2017:00:00:00 -0500] "GET /wod/landing?c=e&macId=90%3Ac7%3Ad8%3Afa%3A78%3Ae9&location=WODTrial&apMacId=10%3A56%3A11%3A15%3Ad3%3A8d&a=as&bn=st22&wod=1&issuer=r&deviceModel=ZTE+Jasper+LTE HTTP/1.1" 303 -

In my grok I defined the part of:

macId=90%3Ac7%3Ad8%3Afa%3A78%3Ae9&location=WODTrial&apMacId=10%3A56%3A11%3A15%3Ad3%3A8d&a=as&bn=st22&wod=1&issuer=r&deviceModel=ZTE+Jasper+LTE

as a json, and named it : jsonstring.

My filter also contains:

if [jsonstring] =~ /.+/ {
                   split {
                           field => "jsonstring"
                           terminator => "&"
                           add_tag => ["splittedjson"]
                   }
                   json {
                           source => "jsonstring"
                           target => "parsedJson"
                           remove_field=>["jsonstring"]
                           add_field => [ "macid", "%{[parsedJson][macid]}" ]
                           add_field => [ "apmacid", "%{[parsedJson][apmacid]}" ]
                           add_field => [ "bn", "%{[parsedJson][bn]}" ]
                           add_field => [ "a", "%{[parsedJson][a]}" ]
                           add_field => [ "issuer", "%{[parsedJson][issuer]}" ]
                           add_field => [ "deviceModel", "%{[parsedJson][deviceModel]}" ]
                   }
                   urldecode {
                      field => "macid"
                   }
                   urldecode {
                      field => "apmacid"
                   }
                }

The event is split !
The add_field isn't working and I am getting _jsonparsefailure all time.

Thanks
Sharon.

2

The string you want to parse as JSON isn't JSON so a json filter will never work. Use a kv filter instead of your current split+json combo. Also, the split filter doesn't do what you think it does.

3

You were right.
I used kv and it worked.

Thanks
Sharon.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.