Check that a message is in JSON to avoid _jsonparsefailure

norandom · July 7, 2016, 3:08pm

Hi,

I have a logfile, which sadly is mixed. There are JSON lines, and there are free text lines. The good news is, that there is always a line break and JSON parsing works.

Currently I do:

   if "_jsonparsefailure" in [tags] {
                    drop { }
            }

I'd like to have an earlier check like

if ( [mesage] =~ ({.*}) ) {
   json {
                        source  => "message"
                }
}

Just using the curly braces to qualify for parsing

Otherwise I'd directly output it into Elasticsearch. Is there a simple way to do this, to save some performance and to avoid regular parser failures?

magnusbaeck · July 8, 2016, 5:44am

Sure, you can do that. The conditional in your example needs a few adjustments but the idea is right.

if [message] =~ /^{.*}$/ {

Topic		Replies	Views
If _jsonparsefailure in [tags] Logstash	4	8796	February 26, 2017
If condition matching json with "in" Logstash	6	4132	July 17, 2017
Parse json if json else leave as is Logstash	2	1269	July 6, 2017
Logstash filter plugin Logstash docker	2	495	October 8, 2021
Json filter message filed Logstash	4	270	July 7, 2020

Check that a message is in JSON to avoid _jsonparsefailure

Related topics