Is this json format correct for upload to logstash/elasicsearch

gittinfunky · November 17, 2018, 9:40pm

I have a series of json files created using tshark (see example below) which I would like to visualise eith ELK. Is the current json format ok for upload to logstash or do I need to parse it in some other format

[{"No.": "1", "Time": "0", "Source": "192.168.252.40", "Destination": "112.156.122.25", "Protocol": "TCP", "Length": "64", "Info": "9145 > 2323 [SYN] Seq=0 Win=12713 Len=0 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]", "label": "normal"},{"No.": "2", "Time": "0.000615", "Source": "192.168.252.40", "Destination": "115.36.214.222", "Protocol": "TCP", "Length": "64", "Info": "9145 > 23 [SYN] Seq=0 Win=12713 Len=0 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]", "label": "normal"}]

wwalker · November 17, 2018, 10:30pm

I'm not sure if the json filter will parse it out since it is contained in [] but you could always use the mutate function with gsub and regex to remove them prior to the json filter.

gittinfunky · November 18, 2018, 7:40am

thanks @wwalker

would it easier if the json file was just a series of one line dictionary key value pairs like below, although when I check this isnt a valid json format

{"No.": "No.", "Time": "Time", "Source": "Source", "Destination": "Destination", "Protocol": "Protocol", "Length": "Length", "Info": "Info", "label": "label"}
{"No.": "1", "Time": "0", "Source": "192.168.252.40", "Destination": "112.156.122.25", "Protocol": "TCP", "Length": "64", "Info": "9145 > 2323 [SYN] Seq=0 Win=12713 Len=0 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]", "label": "normal"}
{"No.": "2", "Time": "0.000615", "Source": "192.168.252.40", "Destination": "115.36.214.222", "Protocol": "TCP", "Length": "64", "Info": "9145 > 23 [SYN] Seq=0 Win=12713 Len=0 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]", "label": "normal"}

system · December 16, 2018, 7:49am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.