Error parsing JSON file

Vikash_Singh1 · August 6, 2020, 11:38am

I am trying to parse a json file which consists of multiple line but even though I am using multiline codec but still I am getting error. Sample of my Json file is as follows:

> [
  {
    "action": "drop",
    "clientASNDescription": "TRUE-AS-AP True Internet Co.,Ltd.",
    "clientAsn": "17552",
    "clientCountryName": "TH",
    "clientIP": "xxx.xxx.xx.xx",
    "clientRequestHTTPHost": "www.abc.com",
    "clientRequestHTTPMethodName": "GET",
    "clientRequestHTTPProtocol": "HTTP/1.1",
    "clientRequestPath": "/xx/xx/xxx/xxx",
    "clientRequestQuery": "",
    "datetime": "2020-08-02T13:30:00Z",
    "rayName": "6avbcghnasj",
    "ruleId": "defcc1554sadsadsad",
    "source": "firewallrules",
    "userAgent": "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
    "matchIndex": 0,
    "metadata": [
      {
        "key": "filter",
        "value": "asdasdsa2asd12a1s221asd"
      },
      {
        "key": "type",
        "value": "abcdef"
      }
    ],
    "sampleInterval": 1
  }
]
My grok is as follow:

input {
file {
#type => "json"
path => "/home/kagamee/Downloads/jetairways_logs/*.json"
codec => multiline {pattern => '^\{' negate => true what => "previous" auto_flush_interval => 2 max_lines => 100000000 }
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter
{
    mutate
    {
        replace => [ "message", "%{message}}" ]
        gsub => [ 'message','\n','']
    }
    if [message] =~ /^{.*}$/
    {
        json { source => message }
    }

}
output {
stdout { codec => rubydebug }
}

Thanks in advance

Badger · August 6, 2020, 1:45pm

Your JSON will include the closing ], so you need to gsub that off of [message] before trying to parse it.

Vikash_Singh1 · August 7, 2020, 5:30am

I did some changes in the conf file but still not getting correct output

> input {
file {
#type => "json"
path => "/home/kagamee/Downloads/abc.json"
codec => multiline {pattern => '[{^\}]' negate => true what => "previous" auto_flush_interval => 2 max_lines => 100000000 }
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter
{
    mutate
    {
        replace => [ "message", "%{message}}" ]
        gsub => ['message','\n',' ', 'message','{',' ']
    }
    if [message] =~ /^{.*}$/       
    {
        json { source => message }
    }

}
output {
stdout { codec => rubydebug }
}

The output is as follows:

"message" => " "action": "adwchallenge", "clientASNDescription": "XXX", "clientAsn": "1111", "clientCountryName": "KZ", "clientIP": "xx.xx.x.Xx", "clientRequestHTTPHost": "abcd.com", "clientRequestHTTPMethodName": "GET", "clientRequestHTTPProtocol": "HTTP/2", "clientRequestPath": "/abc/Jan19/xxx.gif", "clientRequestQuery": "", "datetime": "2020-08-03T14:52:34Z", "rayName": "aabbcccd", "ruleId": "56i", "source": "securitylevel", "userAgent": "Microsoft Office/16.0 (Microsoft Outlook 16.0.12827; Pro), Mozilla/4.0 (compatible; ms-office; MSOffice 16)", "matchIndex": 0, "metadata": , "sampleInterval": 1}"
}

Jenni · August 7, 2020, 6:15am

Now you replaced your opening curly brackets with a space, so it is invalid JSON and the regex in your condition won't match?!

Vikash_Singh1 · August 7, 2020, 6:53am

I noticed that I have removed it with ']' but still getting same ouput.

system · September 4, 2020, 6:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.