I am getting the above exception when I parsing log -
{"ProcessName":"c:/windows/system32/svchost.exe","cpuPerc":0,"cpuTime":"00:00","memResident":1237319680,"memSize":1090519040,"pid":660,"startTime":1569254748000,"state":"Running","user":""}
for cpuTime. Please suggest me a way.
Please could anyone suggest. Please help me in this.
A json filter has no problem parsing the JSON that you show. It would log that error if, for example, the cpuPerc field were
"cpuPerc":01
because JSON does not permit leading zeros on a numeric value. cpuTime is a string, not numeric, so it does not apply there.
You may be able to convert your events to valid JSON using a mutate filter.
okay, but the Invalid JSON Failure is given on cpuTime though it is already String and I check the JSON is valid.
Please suggest how I remove this exception of Logstash
I am unable to reproduce the problem. Perhaps upgrading to a current version would fix it.
My Conf file is -
input {
tcp {
port => 12345
codec =>json
}
}
filter {
json {
source => "message"
}
}
output
{
stdout { codec => json }
elasticsearch
{
hosts => ["localhost:9200"]
index => "kumar-%{+YYYY.MM.dd}"
}
}
JSON to be parsed -
{
"MessageType": "query",
"ProcessInfo": null,
"antivirusdetail": null,
"arch": "10.0.17134",
"basicResponse": "yes#1570165120032#Windows#Microsoft Windows 10 Enterprise#10.11.92.0#Desktop#Member Workstation#####All Devices#",
"cpudetail": {
"com.accelerite.radialive.common.messageresponse.avro.CPUInfo": {
"ProcessDetailsList": [{
"ProcessName": "",
"cpuPerc": 100,
"cpuTime": "5019:09",
"memResident": 8388608,
"memSize": 54525952,
"pid": 0,
"startTime": 1569920676000,
"state": "Running",
"user": ""
}, {
"ProcessName": "",
"cpuPerc": 21,
"cpuTime": "100:58",
"memResident": 1962934272,
"memSize": 197132288,
"pid": 4,
"startTime": 1569920676000,
"state": "Running",
"user": ""
}, {
"ProcessName": "",
"cpuPerc": 0,
"cpuTime": "00:07",
"memResident": 15888023552,
"memSize": 2671771648,
"pid": 96,
"startTime": 1569920670000,
"state": "Running",
"user": ""
}, {
"ProcessName": "c:/windows/system32/svchost.exe",
"cpuPerc": 0,
"cpuTime": "00:00",
"memResident": 985661440,
"memSize": 1090519040,
"pid": 344,
"startTime": 1569920693000,
"state": "Running",
"user": ""
}, {
"ProcessName": "C:/Windows/SystemApps/Microsoft.LockApp_cw5n1h2txyewy/LockApp.exe",
"cpuPerc": 0,
"cpuTime": "00:04",
"memResident": 32111591424,
"memSize": 18744344576,
"pid": 352,
"startTime": 1569925596000,
"state": "Running",
"user": ""
}, {
"ProcessName": "",
"cpuPerc": 0,
"cpuTime": "00:00",
"memResident": 255852544,
"memSize": 515899392,
"pid": 524,
"startTime": 1569920676000,
"state": "Running",
"user": ""
}, {
"ProcessName": "C:/WINDOWS/system32/svchost.exe",
"cpuPerc": 0,
"cpuTime": "00:59",
"memResident": 19310575616,
"memSize": 15883829248,
"pid": 608,
"startTime": 1569920693000,
"state": "Running",
"user": ""
}]
}
}
}and the ERROR on console -
[2019-10-04T10:32:06,196][ERROR][logstash.codecs.json ][main] JSON parse error, original data now in message field {:error=>#<LogStash::Json::ParserError: Unexpected end-of-input: was expecting closing quote for a string value at [Source: (String)"{"MessageType":"query","ProcessInfo":null,"antivirusdetail":null,"arch":"10.0.17134","basicResponse":"yes#1570165323292#Windows#Microsoft Windows 10 Enterprise#10.11.92.0#Desktop#Member Workstation#####All Devices#","cpudetail":{"com.accelerite.radialive.common.messageresponse.avro.CPUInfo":{"ProcessDetailsList":[{"ProcessName":"","cpuPerc":92,"cpuTime":"5024:43","memResident":8388608,"memSize":54525952,"pid":0,"startTime":1569920676000,"state":"Running","user":""},{"ProcessName":"","cpuPerc":17"[truncated 524 chars]; line: 1, column: 2049]>, :data=>"{"MessageType":"query","ProcessInfo":null,"antivirusdetail":null,"arch":"10.0.17134","basicResponse":"yes#1570165323292#Windows#Microsoft Windows 10 Enterprise#10.11.92.0#Desktop#Member Workstation#####All Devices#","cpudetail":{"com.accelerite.radialive.common.messageresponse.avro.CPUInfo":{"ProcessDetailsList":[{"ProcessName":"","cpuPerc":92,"cpuTime":"5024:43","memResident":8388608,"memSize":54525952,"pid":0,"startTime":1569920676000,"state":"Running","user":""},{"ProcessName":"","cpuPerc":17,"cpuTime":"101:17","memResident":1962934272,"memSize":197132288,"pid":4,"startTime":1569920676000,"state":"Running","user":""},{"ProcessName":"","cpuPerc":0,"cpuTime":"00:07","memResident":15908995072,"memSize":2646605824,"pid":96,"startTime":1569920670000,"state":"Running","user":""},{"ProcessName":"c:/windows/system32/svchost.exe","cpuPerc":0,"cpuTime":"00:00","memResident":981467136,"memSize":1090519040,"pid":344,"startTime":1569920693000,"state":"Running","user":""},{"ProcessName":"C:/Windows/SystemApps/Microsoft."} [2019-10-04T10:32:06,234][ERROR][logstash.codecs.json ][main] JSON parse error, original data now in message field {:error=>#<LogStash::Json::ParserError: Unrecognized token 'LockApp_cw5n1h2txyewy': was expecting ('true', 'false' or 'null') at [Source: (String)"LockApp_cw5n1h2txyewy/LockApp.exe","cpuPerc":0,"cpuTime":"00:04","memResident":32111591424,"memSize":18744344576,"pid":352,"startTime":1569925596000,"state":"Running","user":""}
JSON is VALID
When I copy this JSON to file in desktop then parsing is working correctly. Not getting exactly what is happening
A tcp input accepts lines of text. My guess is that something is inserting a newline into your JSON in the middle of
"ProcessName": "C:/Windows/SystemApps/Microsoft.
LockApp_cw5n1h2txyewy/LockApp.exe",I have check the JSON is coming in valid problem in my codec of Logstash.
I changed that codec from "json" to "json_lines" and parsing is working fine.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.