How to gsub \ in json message

az123 · June 13, 2019, 5:59pm

I have a message below that is failing due to jsonparse error. If I remove all the \ (backslashes) from the message in text editor and check in json parser, it parsed it properly. Now, to get rid of the \ in the json message filed, I tried the mutate + gsub as below (from the official docs) with [\] option which is not working! Need some help with this:

config file:

filter {
    mutate {
      gsub => [ "message", "[\\]", "" ]  # << 2 backslashes
}
}

       [0] "_jsonparsefailure"
    ],
        "message" => [
        [ 0] "{\"node_id_str\":\"xxxx\",\"subscription_id_str\":\"Sub2\",\"encoding_path\":\"Cisco-IOS-XR-shellutil-oper:system-time/uptime\",\"collection_id\":\"151649\",\"collection_start_time\":\"1560440022382\",\"msg_timestamp\":\"1560440022396\",\"data_json\":[{\"timestamp\":\"1560440022394\",\"keys\":[],\"content\":{\"host-name\":\"xxxx\",\"uptime\":6117928}}],\"collection_end_time\":\"1560440022396\"}",

So, how do I get rid of the \ in this message? Interestingly, if I try to match it and replace with some char B, it does it next to the \ so not sure what this is matching....

filter {
   mutate {
     gsub => [ "message", "[\\]", "B" ] # << 2 back slashes
 }
}

      "message" => [
        [0] "{B\"node_id_strB\":B\"xxxx-IE1B\",B\"subscription_id_strB\":B\"Sub2B\",B\"encoding_pathB\":B\"Cisco-IOS-XR-shellutil-oper:system-time/uptimeB\",B\"collection_idB\":B\"151843B\",B\"collection_start_timeB\":B\"1560447583109B\",B\"msg_timestampB\":B\"1560447583123B\",B\"data_jsonB\":[{B\"timestampB\":B\"1560447583120B\",B\"keysB\":[],B\"contentB\":{B\"host-nameB\":B\"xxxx-IE1B\",B\"uptimeB\":6125489}}],B\"collection_end_timeB\":B\"1560447583123B\"}",
        [1] "{B\"node_id_strB\":B\"xxxx-IE1B\",B\"subscription_id_strB\":B\"Sub2B\",B\"encoding_pathB\":B\"Cisco-IOS-XR-shellutil-oper:system-time/uptimeB\",B\"collection_idB\":B\"151844B\",B\"collection_start_timeB\":B\"1560447613123B\",B\"msg_timestampB\":B\"1560447613136B\",B\"data_jsonB\":[{B\"timestampB\":B\"1560447613132B\",B\"keysB\":[],B\"contentB\":{B\"host-nameB\":B\"xxxx-IE1B\",B\"uptimeB\":6125519}}],B\"collection_end_timeB\":B\"1560447613136B\"}"

[EDIT: added code-fences around code blocks to increase readability -- @yaauie]

Badger · June 13, 2019, 6:28pm

If that is from rubydebug your message does not contain backslash, it is just rubydebug escaping the double quotes. Not sure how your replacement with B could occur in that case.

az123 · June 13, 2019, 7:31pm

:-). If that is from ruby debug output plugin, why does logstash fail to parse the json?

Badger · June 13, 2019, 8:24pm

What does the json filter configuration look like?

az123 · June 13, 2019, 8:52pm

filter {
mutate {
split => ["message", " " ]
}
}

filter {
mutate {
gsub => [ "message", '\"', '"' ]
}
}

Badger · June 13, 2019, 10:00pm

Do you not have a json filter configured? logstash is not going to parse the JSON unless you tell it to.

az123 · June 14, 2019, 12:47pm

I have tried codec json and json_lines hoping that it will parse the incoming lines as json. I even added json filter to the end of the config before output but no luck parsing the message to json format. This is what I see when I run logstash:

[WARN ] 2019-06-14 12:38:45.267 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>["{"node_id_str":"xxxx","subscription_id_str":"Sub2","encoding_path":"Cisco-IOS-XR-shellutil-oper:system-time/uptime","collection_id":"152429","collection_start_time":"1560515908973","msg_timestamp":"1560515908990","data_json":[{"timestamp":"1560515908987","keys":,"content":{"host-name":"xxxx","uptime":6193815}}],"collection_end_time":"1560515908990"}"], :exception=>java.lang.ClassCastException: org.jruby.RubyArray cannot be cast to org.jruby.RubyIO}
[WARN ] 2019-06-14 12:38:45.272 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>["{"node_id_str":"xxxx","subscription_id_str":"Sub2","encoding_path":"Cisco-IOS-XR-shellutil-oper:system-time/uptime","collection_id":"152429","collection_start_time":"1560515908973","msg_timestamp":"1560515908990","data_json":[{"timestamp":"1560515908987","keys":,"content":{"host-name":"xxxx","uptime":6193815}}],"collection_end_time":"1560515908990"}"], :exception=>java.lang.ClassCastException: org.jruby.RubyArray cannot be cast to org.jruby.RubyIO}
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/awesome_print-1.7.0/lib/awesome_print/formatters/base_formatter.rb:31: warning: constant ::Fixnum is deprecated
{
"tags" => [
[0] "_jsonparsefailure"
],
"port" => 48700,
"@timestamp" => 2019-06-14T12:38:44.988Z,
"host" => "xxxx-v0.xxxx.com",
"@version" => "1",
"message" => [
[0] "{"node_id_str":"xxxx","subscription_id_str":"Sub2","encoding_path":"Cisco-IOS-XR-shellutil-oper:system-time/uptime","collection_id":"152429","collection_start_time":"1560515908973","msg_timestamp":"1560515908990","data_json":[{"timestamp":"1560515908987","keys":,"content":{"host-name":"xxxx","uptime":6193815}}],"collection_end_time":"1560515908990"}"
],
"type" => "jsonotcp"
}

Badger · June 14, 2019, 1:21pm

How did you configure the json filter?

az123 · June 14, 2019, 1:34pm

filter {
json {
source => "message"
target => "jsonmessage"
}
}

Badger · June 14, 2019, 4:15pm

You used a mutate+split filter to convert message to an array, so that should be

json {
    source => "[message][0]"
    target => "jsonmessage"
}

az123 · June 14, 2019, 5:03pm

That worked for the first element! How do I make it parse every element in the array?

{
"tags" => [
[0] "_jsonparsefailure"
],
"jsonmessage" => {
"collection_end_time" => "1560531678180",
"node_id_str" => "xxxx",
"collection_id" => "152579",
"encoding_path" => "Cisco-IOS-XR-shellutil-oper:system-time/uptime",
"subscription_id_str" => "Sub2",
"collection_start_time" => "1560531678163",
"msg_timestamp" => "1560531678180",
"data_json" => [
[0] {
"timestamp" => "1560531678176",
"content" => {
"host-name" => "xxxx",
"uptime" => 6209584
},
"keys" =>
}
]
},
"@timestamp" => 2019-06-14T17:01:25.510Z,
"@version" => "1",
"port" => 34850,
"message" => [
[0] "{"node_id_str":"xxxx","subscription_id_str":"Sub2","encoding_path":"Cisco-IOS-XR-shellutil-oper:system-time/uptime","collection_id":"152579","collection_start_time":"1560531678163","msg_timestamp":"1560531678180","data_json":[{"timestamp":"1560531678176","keys":,"content":{"host-name":"xxxx","uptime":6209584}}],"collection_end_time":"1560531678180"}"
],
"host" => "xxxx-v0.xxxx.com",
"type" => "jsonotcp"
}

Badger · June 14, 2019, 5:56pm

I think you would have to use ruby for that.

az123 · June 17, 2019, 1:59pm

Can you share the code to do so?

system · July 15, 2019, 2:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash json parse error Logstash	16	29412	March 13, 2017
Logstash mutate gsub replace json key Logstash	2	1042	August 7, 2019
Pre-process message backslashes prior to JSON filter Logstash	4	1488	March 26, 2019
How to replace backslash from a string Logstash	6	7506	August 2, 2018
Mutate gsub pattern help for filter Logstash	7	1017	April 5, 2022

How to gsub \ in json message

Related Topics