Json multiline codec is not working and messages are not getting parsed

Hi Team,

I an working on logstash json parser and messages are not getting parsed; any clue what could be wrong?
Here are original messages

[
 {
  "time": "12/Aug/2023:13:20:52 +0000",
  "source_ip": "117.193.217.44",
  "source_port": 58066,
  "destination_ip": "66.22.xx.xx",
  "destination_port": 443,
  "protocol": "https",
  "http_method": "GET",
  "host": "www.example.com",
  "request": "GET /motor-renewal/Scripts/Jquery/RenewalHome.js?_=1691846453034 HTTP/2.0",
  "directory": "/motor-renewal/Scripts/Jquery",
  "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
  "accept_language": "en-US,en;q=0.9",
  "x-forwarded-for": "-",
  "referrer": "https://www.example.com/motor-renewal/pages/",
  "cookie": "__uzma=1ac42b2d-b59c-4e60-b9a7-340b3cd49b49; __uzmb=1691845215; __uzme=0719; __ssds=2; __ssuzjsr2=a9be0cd8e; __uzmaj2=b6e7db09-044f-49b6-ad2d-4d47cff57210; __uzmbj2=1691845218; _ga=GA1.2.820918465.1691845220; _gid=GA1.2.1703387158.1691845220; __uzmc=706721950010; __uzmd=1691846420; __uzmf=7f6000e3e2d48e-083e-4ebd-93c6-c080319d586716918452157051205102-9fb45c4147ecba1d19; __uzmcj2=792351349890; __uzmdj2=1691846421; _ga_HT9FXR2ZV8=GS1.1.1691845219.1.1.1691846428.60.0.0; _ga_7RVQF8C3BY=GS1.1.1691845219.1.1.1691846428.60.0.0",
  "request_time": "0.339",
  "response_code": 200,
  "http_bytes_in": 221,
  "http_bytes_out": 824,
  "country_code": "UA",
  "action": "Allowed",
  "application_id": "4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2",
  "application_name": "example",
  "tenant_name": "example"
 },
 {
  "time": "12/Aug/2023:13:20:53 +0000",
  "source_ip": "167.114.103.160",
  "source_port": 41860,
  "destination_ip": "66.22.xx.xx",
  "destination_port": 443,
  "protocol": "https",
  "http_method": "GET",
  "host": "www.example.com",
  "request": "GET /images/FEBRUARY_2017/Money-Today-21.02.17_e-Insurance.jpg HTTP/1.1",
  "directory": "/images/FEBRUARY_2017",
  "user_agent": "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)",
  "accept_language": "en",
  "x-forwarded-for": "-",
  "referrer": "-",
  "cookie": "-",
  "request_time": "0.570",
  "response_code": 200,
  "http_bytes_in": 430,
  "http_bytes_out": 4078,
  "country_code": "CA",
  "action": "Allowed",
  "application_id": "4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2",
  "application_name": "example",
  "tenant_name": "example"
 },
 {
  "time": "12/Aug/2023:13:20:56 +0000",
  "source_ip": "167.114.103.160",
  "source_port": 44480,
  "destination_ip": "66.22.xx.xx",
  "destination_port": 443,
  "protocol": "https",
  "http_method": "GET",
  "host": "example.com",
  "request": "GET /images/FEBRUARY_2017/Motor-Claim-Fire-Financial-Express-20.02.17.jpg HTTP/1.1",
  "directory": "/images/FEBRUARY_2017",
  "user_agent": "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)",
  "accept_language": "en",
  "x-forwarded-for": "-",
  "referrer": "-",
  "cookie": "-",
  "request_time": "0.031",
  "response_code": 301,
  "http_bytes_in": 437,
  "http_bytes_out": 740,
  "country_code": "CA",
  "action": "Allowed",
  "application_id": "4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2",
  "application_name": "example",
  "tenant_name": "example"
 }
]

And here are my parsers

input {
        stdin {
                codec => multiline {
                pattern => "^\{"
#               negate => true
                what => "previous"
                }
        }
}

filter {
        mutate {
#       replace => [ "message", "%{message}" ]
        gsub => [ 'message','\,','']
        gsub => [ 'message','\n','']
        }
        if [message] =~ /^{.*}$/ {
        json {
        source => "message"
                }
        }
        }
output {
        stdout { codec => rubydebug  }
        }
```
Messages are then not getting parsed correctly

Your sample data does not contain any lines that match '^{'. Even if it did, deleting all the commas in the JSON would cause the parser to fail.

If you add auto_flush_interval => 2 to the codec then it will consume all of the data as a single event. You could then use

json { source => "message" target => "theJSON" }

You might then want to a split filter, since [theJSON] will be an array.

Let me try though - So auto_flush_interval => 2 in Input codec?

@Badger Same issue - Still no luck

Did you remove the mutates and the conditional around the json filter? If not, you should try doing so.

nah

nah man - No luck and yes I tried that

input {
        stdin {
                codec => multiline {
                pattern => "\,"
#               negate => true
                what => "previous"
                auto_flush_interval => 2
                }
}
}

filter {
json { source => "message" target => "theJSON" }
        }


output {
stdout { codec => rubydebug }
}

Here are the messages being parsed

[INFO ] 2023-09-17 20:50:00.769 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9602}
 {
  "time": "12/Aug/2023:13:20:52 +0000",
  "source_ip": "117.193.217.44",
  "source_port": 58066,
  "destination_ip": "66.22.xx.xx",
  "destination_port": 443,
  "protocol": "https",
  "http_method": "GET",
  "host": "www.example.com",
  "request": "GET /motor-renewal/Scripts/Jquery/RenewalHome.js?_=1691846453034 HTTP/2.0",
  "directory": "/motor-renewal/Scripts/Jquery",
  "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
  "accept_language": "en-US,en;q=0.9",
  "x-forwarded-for": "-",
  "referrer": "https://www.example.com/motor-renewal/pages/",
  "cookie": "__uzma=1ac42b2d-b59c-4e60-b9a7-340b3cd49b49; __uzmb=1691845215; __uzme=0719; __ssds=2; __ssuzjsr2=a9be0cd8e; __uzmaj2=b6e7db09-044f-49b6-ad2d-4d47cff57210; __uzmbj2=1691845218; _ga=GA1.2.820918465.1691845220; _gid=GA1.2.1703387158.1691845220; __uzmc=706721950010; __uzmd=1691846420; __uzmf=7f6000e3e2d48e-083e-4ebd-93c6-c080319d586716918452157051205102-9fb45c4147ecba1d19; __uzmcj2=792351349890; __uzmdj2=1691846421; _ga_HT9FXR2ZV8=GS1.1.1691845219.1.1.1691846428.60.0.0; _ga_7RVQF8C3BY=GS1.1.1691845219.1.1.1691846428.60.0.0",
  "request_time": "0.339",
  "response_code": 200,
  "http_bytes_in": 221,
  "http_bytes_out": 824,
  "country_code": "IN",
  "action": "Allowed",
  "application_id": "4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2",
  "application_name": "example",
  "tenant_name": "example"
 },
 {
  "time": "12/Aug/2023:13:20:53 +0000",
  "source_ip": "167.114.103.160",
  "source_port": 41860,
  "destination_ip": "66.22.xx.xx",
  "destination_port": 443,
  "protocol": "https",
  "http_method": "GET",
  "host": "www.example.com",
  "request": "GET /images/FEBRUARY_2017/Money-Today-21.02.17_e-Insurance.jpg HTTP/1.1",
  "directory": "/images/FEBRUARY_2017",
  "user_agent": "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)",
  "accept_language": "en",
  "x-forwarded-for": "-",
  "referrer": "-",
  "cookie": "-",
  "request_time": "0.570",
  "response_code": 200,
  "http_bytes_in": 430,
  "http_bytes_out": 4078,
  "country_code": "CA",
  "action": "Allowed",
  "application_id": "4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2",
  "application_name": "example",
  "tenant_name": "example"
 },
 {
  "time": "12/Aug/2023:13:20:56 +0000",
  "source_ip": "167.114.103.160",
  "source_port": 44480,
  "destination_ip": "66.22.xx.xx",
  "destination_port": 443,
  "protocol": "https",
  "http_method": "GET",
  "host": "example.com",
  "request": "GET /images/FEBRUARY_2017/Motor-Claim-Fire-Financial-Express-20.02.17.jpg HTTP/1.1",
  "directory": "/images/FEBRUARY_2017",
  "user_agent": "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)",
  "accept_language": "en",
  "x-forwarded-for": "-",
  "referrer": "-",
  "cookie": "-",
  "request_time": "0.031",
  "response_code": 301,
  "http_bytes_in": 437,
  "http_bytes_out": 740,
  "country_code": "CA",
  "action": "Allowed",
  "application_id": "4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2",
  "application_name": "example",
  "tenant_name": "example"
 }
[WARN ] 2023-09-17 20:50:17.631 [[main]>worker2] json - Error parsing json {:source=>"message", :raw=>"  \"tenant_name\": \"example\"\n },", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "tenant_name": "example"
 },"; line: 1, column: 17]>}
[WARN ] 2023-09-17 20:50:17.639 [[main]>worker3] json - Error parsing json {:source=>"message", :raw=>"  \"tenant_name\": \"example\"\n },", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "tenant_name": "example"
 },"; line: 1, column: 17]>}
[WARN ] 2023-09-17 20:50:17.640 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>" {\n  \"time\": \"12/Aug/2023:13:20:52 +0000\",\n  \"source_ip\": \"117.193.217.44\",\n  \"source_port\": 58066,\n  \"destination_ip\": \"66.22.xx.xx\",\n  \"destination_port\": 443,\n  \"protocol\": \"https\",\n  \"http_method\": \"GET\",\n  \"host\": \"www.example.com\",\n  \"request\": \"GET /motor-renewal/Scripts/Jquery/RenewalHome.js?_=1691846453034 HTTP/2.0\",\n  \"directory\": \"/motor-renewal/Scripts/Jquery\",\n  \"user_agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36\",\n  \"accept_language\": \"en-US,en;q=0.9\",\n  \"x-forwarded-for\": \"-\",\n  \"referrer\": \"https://www.example.com/motor-renewal/pages/\",\n  \"cookie\": \"__uzma=1ac42b2d-b59c-4e60-b9a7-340b3cd49b49; __uzmb=1691845215; __uzme=0719; __ssds=2; __ssuzjsr2=a9be0cd8e; __uzmaj2=b6e7db09-044f-49b6-ad2d-4d47cff57210; __uzmbj2=1691845218; _ga=GA1.2.820918465.1691845220; _gid=GA1.2.1703387158.1691845220; __uzmc=706721950010; __uzmd=1691846420; __uzmf=7f6000e3e2d48e-083e-4ebd-93c6-c080319d586716918452157051205102-9fb45c4147ecba1d19; __uzmcj2=792351349890; __uzmdj2=1691846421; _ga_HT9FXR2ZV8=GS1.1.1691845219.1.1.1691846428.60.0.0; _ga_7RVQF8C3BY=GS1.1.1691845219.1.1.1691846428.60.0.0\",\n  \"request_time\": \"0.339\",\n  \"response_code\": 200,\n  \"http_bytes_in\": 221,\n  \"http_bytes_out\": 824,\n  \"country_code\": \"IN\",\n  \"action\": \"Allowed\",\n  \"application_id\": \"4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2\",\n  \"application_name\": \"example\",", :exception=>#<LogStash::Json::ParserError: Unexpected end-of-input within/between Object entries
 at [Source: (byte[])" {
  "time": "12/Aug/2023:13:20:52 +0000",
  "source_ip": "117.193.217.44",
  "source_port": 58066,
  "destination_ip": "66.22.xx.xx",
  "destination_port": 443,
  "protocol": "https",
  "http_method": "GET",
  "host": "www.example.com",
  "request": "GET /motor-renewal/Scripts/Jquery/RenewalHome.js?_=1691846453034 HTTP/2.0",
  "directory": "/motor-renewal/Scripts/Jquery",
  "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 S"[truncated 936 bytes]; line: 24, column: 1476]>}
[WARN ] 2023-09-17 20:50:17.641 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>" {\n  \"time\": \"12/Aug/2023:13:20:53 +0000\",\n  \"source_ip\": \"167.114.103.160\",\n  \"source_port\": 41860,\n  \"destination_ip\": \"66.22.xx.xx\",\n  \"destination_port\": 443,\n  \"protocol\": \"https\",\n  \"http_method\": \"GET\",\n  \"host\": \"www.example.com\",\n  \"request\": \"GET /images/FEBRUARY_2017/Money-Today-21.02.17_e-Insurance.jpg HTTP/1.1\",\n  \"directory\": \"/images/FEBRUARY_2017\",\n  \"user_agent\": \"Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)\",\n  \"accept_language\": \"en\",\n  \"x-forwarded-for\": \"-\",\n  \"referrer\": \"-\",\n  \"cookie\": \"-\",\n  \"request_time\": \"0.570\",\n  \"response_code\": 200,\n  \"http_bytes_in\": 430,\n  \"http_bytes_out\": 4078,\n  \"country_code\": \"CA\",\n  \"action\": \"Allowed\",\n  \"application_id\": \"4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2\",\n  \"application_name\": \"example\",", :exception=>#<LogStash::Json::ParserError: Unexpected end-of-input within/between Object entries
 at [Source: (byte[])" {
  "time": "12/Aug/2023:13:20:53 +0000",
  "source_ip": "167.114.103.160",
  "source_port": 41860,
  "destination_ip": "66.22.xx.xx",
  "destination_port": 443,
  "protocol": "https",
  "http_method": "GET",
  "host": "www.example.com",
  "request": "GET /images/FEBRUARY_2017/Money-Today-21.02.17_e-Insurance.jpg HTTP/1.1",
  "directory": "/images/FEBRUARY_2017",
  "user_agent": "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)",
  "accept_language": "en",
  "x-forwarded-fo"[truncated 292 bytes]; line: 24, column: 832]>}
[WARN ] 2023-09-17 20:50:17.645 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>" {\n  \"time\": \"12/Aug/2023:13:20:56 +0000\",\n  \"source_ip\": \"167.114.103.160\",\n  \"source_port\": 44480,\n  \"destination_ip\": \"66.22.xx.xx\",\n  \"destination_port\": 443,\n  \"protocol\": \"https\",\n  \"http_method\": \"GET\",\n  \"host\": \"example.com\",\n  \"request\": \"GET /images/FEBRUARY_2017/Motor-Claim-Fire-Financial-Express-20.02.17.jpg HTTP/1.1\",\n  \"directory\": \"/images/FEBRUARY_2017\",\n  \"user_agent\": \"Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)\",\n  \"accept_language\": \"en\",\n  \"x-forwarded-for\": \"-\",\n  \"referrer\": \"-\",\n  \"cookie\": \"-\",\n  \"request_time\": \"0.031\",\n  \"response_code\": 301,\n  \"http_bytes_in\": 437,\n  \"http_bytes_out\": 740,\n  \"country_code\": \"CA\",\n  \"action\": \"Allowed\",\n  \"application_id\": \"4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2\",\n  \"application_name\": \"example\",", :exception=>#<LogStash::Json::ParserError: Unexpected end-of-input within/between Object entries
 at [Source: (byte[])" {
  "time": "12/Aug/2023:13:20:56 +0000",
  "source_ip": "167.114.103.160",
  "source_port": 44480,
  "destination_ip": "66.22.xx.xx",
  "destination_port": 443,
  "protocol": "https",
  "http_method": "GET",
  "host": "example.com",
  "request": "GET /images/FEBRUARY_2017/Motor-Claim-Fire-Financial-Express-20.02.17.jpg HTTP/1.1",
  "directory": "/images/FEBRUARY_2017",
  "user_agent": "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)",
  "accept_language": "en",
  "x-forwa"[truncated 298 bytes]; line: 24, column: 838]>}
[WARN ] 2023-09-17 20:50:17.646 [[main]>worker3] json - Error parsing json {:source=>"message", :raw=>"  \"tenant_name\": \"example\"", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "tenant_name": "example""; line: 1, column: 17]>}
{
          "tags" => [
        [0] "multiline",
        [1] "_jsonparsefailure"
    ],
      "@version" => "1",
          "host" => "traplox",
    "@timestamp" => 2023-09-17T15:20:17.313Z,
       "message" => "  \"tenant_name\": \"example\"\n },"
}
{
          "tags" => [
        [0] "multiline",
        [1] "_jsonparsefailure"
    ],
      "@version" => "1",
          "host" => "traplox",
    "@timestamp" => 2023-09-17T15:20:17.309Z,
       "message" => "  \"tenant_name\": \"example\"\n },"
}
{
          "tags" => [
        [0] "_jsonparsefailure"
    ],
      "@version" => "1",
          "host" => "traplox",
    "@timestamp" => 2023-09-17T15:20:17.321Z,
       "message" => "  \"tenant_name\": \"example\""
}
{
          "tags" => [
        [0] "multiline",
        [1] "_jsonparsefailure"
    ],
      "@version" => "1",
          "host" => "traplox",
    "@timestamp" => 2023-09-17T15:20:17.290Z,
       "message" => " {\n  \"time\": \"12/Aug/2023:13:20:52 +0000\",\n  \"source_ip\": \"117.193.217.44\",\n  \"source_port\": 58066,\n  \"destination_ip\": \"66.22.xx.xx\",\n  \"destination_port\": 443,\n  \"protocol\": \"https\",\n  \"http_method\": \"GET\",\n  \"host\": \"www.example.com\",\n  \"request\": \"GET /motor-renewal/Scripts/Jquery/RenewalHome.js?_=1691846453034 HTTP/2.0\",\n  \"directory\": \"/motor-renewal/Scripts/Jquery\",\n  \"user_agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36\",\n  \"accept_language\": \"en-US,en;q=0.9\",\n  \"x-forwarded-for\": \"-\",\n  \"referrer\": \"https://www.example.com/motor-renewal/pages/\",\n  \"cookie\": \"__uzma=1ac42b2d-b59c-4e60-b9a7-340b3cd49b49; __uzmb=1691845215; __uzme=0719; __ssds=2; __ssuzjsr2=a9be0cd8e; __uzmaj2=b6e7db09-044f-49b6-ad2d-4d47cff57210; __uzmbj2=1691845218; _ga=GA1.2.820918465.1691845220; _gid=GA1.2.1703387158.1691845220; __uzmc=706721950010; __uzmd=1691846420; __uzmf=7f6000e3e2d48e-083e-4ebd-93c6-c080319d586716918452157051205102-9fb45c4147ecba1d19; __uzmcj2=792351349890; __uzmdj2=1691846421; _ga_HT9FXR2ZV8=GS1.1.1691845219.1.1.1691846428.60.0.0; _ga_7RVQF8C3BY=GS1.1.1691845219.1.1.1691846428.60.0.0\",\n  \"request_time\": \"0.339\",\n  \"response_code\": 200,\n  \"http_bytes_in\": 221,\n  \"http_bytes_out\": 824,\n  \"country_code\": \"IN\",\n  \"action\": \"Allowed\",\n  \"application_id\": \"4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2\",\n  \"application_name\": \"example\","
}
{
          "tags" => [
        [0] "multiline",
        [1] "_jsonparsefailure"
    ],
      "@version" => "1",
          "host" => "traplox",
    "@timestamp" => 2023-09-17T15:20:17.319Z,
       "message" => " {\n  \"time\": \"12/Aug/2023:13:20:56 +0000\",\n  \"source_ip\": \"167.114.103.160\",\n  \"source_port\": 44480,\n  \"destination_ip\": \"66.22.xx.xx\",\n  \"destination_port\": 443,\n  \"protocol\": \"https\",\n  \"http_method\": \"GET\",\n  \"host\": \"example.com\",\n  \"request\": \"GET /images/FEBRUARY_2017/Motor-Claim-Fire-Financial-Express-20.02.17.jpg HTTP/1.1\",\n  \"directory\": \"/images/FEBRUARY_2017\",\n  \"user_agent\": \"Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)\",\n  \"accept_language\": \"en\",\n  \"x-forwarded-for\": \"-\",\n  \"referrer\": \"-\",\n  \"cookie\": \"-\",\n  \"request_time\": \"0.031\",\n  \"response_code\": 301,\n  \"http_bytes_in\": 437,\n  \"http_bytes_out\": 740,\n  \"country_code\": \"CA\",\n  \"action\": \"Allowed\",\n  \"application_id\": \"4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2\",\n  \"application_name\": \"example\","
}
{
          "tags" => [
        [0] "multiline",
        [1] "_jsonparsefailure"
    ],
      "@version" => "1",
          "host" => "traplox",
    "@timestamp" => 2023-09-17T15:20:17.313Z,
       "message" => " {\n  \"time\": \"12/Aug/2023:13:20:53 +0000\",\n  \"source_ip\": \"167.114.103.160\",\n  \"source_port\": 41860,\n  \"destination_ip\": \"66.22.xx.xx\",\n  \"destination_port\": 443,\n  \"protocol\": \"https\",\n  \"http_method\": \"GET\",\n  \"host\": \"www.example.com\",\n  \"request\": \"GET /images/FEBRUARY_2017/Money-Today-21.02.17_e-Insurance.jpg HTTP/1.1\",\n  \"directory\": \"/images/FEBRUARY_2017\",\n  \"user_agent\": \"Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)\",\n  \"accept_language\": \"en\",\n  \"x-forwarded-for\": \"-\",\n  \"referrer\": \"-\",\n  \"cookie\": \"-\",\n  \"request_time\": \"0.570\",\n  \"response_code\": 200,\n  \"http_bytes_in\": 430,\n  \"http_bytes_out\": 4078,\n  \"country_code\": \"CA\",\n  \"action\": \"Allowed\",\n  \"application_id\": \"4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2\",\n  \"application_name\": \"example\","
}
^C[WARN ] 2023-09-17 20:50:45.040 [SIGINT handler] runner - SIGINT received. Shutting down.
[INFO ] 2023-09-17 20:50:46.142 [Converge PipelineAction::Stop<main>] javapipeline - Pipeline terminated {"pipeline.id"=>"main"}
[INFO ] 2023-09-17 20:50:46.203 [LogStash::Runner] runner - Logstash shut down.

Your original pattern would never match the log file, so the entire file would be consumed as a single event. You are now using a pattern "\," which will match and will chop the log entries up into chunks that are not valid JSON. Try using pattern => "^Spalanzani" to make sure it never matches.

Let me try commenting it.

EDIT: Yeah It need Pattern parameter

Argh - Nope :frowning:

input {
        stdin {
                codec => multiline {
                pattern => "^Spalanzani"
#               negate => true
                what => "previous"
                auto_flush_interval => 2
                }
}
}

filter {
json { source => "message" target => "theJSON" }
        }


output {
stdout { codec => rubydebug }
}

Same issue

[WARN ] 2023-09-17 22:00:05.798 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>" {", :exception=>#<LogStash::Json::ParserError: Unexpected end-of-input: expected close marker for Object (start marker at [Source: (byte[])" {"; line: 1, column: 2])
 at [Source: (byte[])" {"; line: 1, column: 5]>}
[WARN ] 2023-09-17 22:00:05.801 [[main]>worker3] json - Error parsing json {:source=>"message", :raw=>" },", :exception=>#<LogStash::Json::ParserError: Unexpected close marker '}': expected ']' (for root starting at [Source: (byte[])" },"; line: 1, column: 0])
 at [Source: (byte[])" },"; line: 1, column: 3]>}
[WARN ] 2023-09-17 22:00:05.801 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>" {", :exception=>#<LogStash::Json::ParserError: Unexpected end-of-input: expected close marker for Object (start marker at [Source: (byte[])" {"; line: 1, column: 2])
 at [Source: (byte[])" {"; line: 1, column: 5]>}
[WARN ] 2023-09-17 22:00:05.802 [[main]>worker2] json - Error parsing json {:source=>"message", :raw=>"  \"tenant_name\": \"exmaple\"", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "tenant_name": "exmaple""; line: 1, column: 17]>}
[WARN ] 2023-09-17 22:00:05.805 [[main]>worker3] json - Error parsing json {:source=>"message", :raw=>"  \"source_port\": 44480,", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "source_port": 44480,"; line: 1, column: 17]>}
[WARN ] 2023-09-17 22:00:05.806 [[main]>worker3] json - Error parsing json {:source=>"message", :raw=>"  \"http_method\": \"GET\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "http_method": "GET","; line: 1, column: 17]>}
[WARN ] 2023-09-17 22:00:05.809 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"destination_ip\": \"66.22.93.239\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "destination_ip": "66.22.93.239","; line: 1, column: 20]>}
[WARN ] 2023-09-17 22:00:05.809 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"host\": \"exmaple.com\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "host": "exmaple.com","; line: 1, column: 10]>}
[WARN ] 2023-09-17 22:00:05.811 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"request\": \"GET /images/FEBRUARY_2017/Motor-Claim-Fire-Financial-Express-20.02.17.jpg HTTP/1.1\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "request": "GET /images/FEBRUARY_2017/Motor-Claim-Fire-Financial-Express-20.02.17.jpg HTTP/1.1","; line: 1, column: 13]>}
[WARN ] 2023-09-17 22:00:05.811 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"directory\": \"/images/FEBRUARY_2017\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "directory": "/images/FEBRUARY_2017","; line: 1, column: 15]>}
[WARN ] 2023-09-17 22:00:05.812 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"user_agent\": \"Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "user_agent": "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)","; line: 1, column: 16]>}
[WARN ] 2023-09-17 22:00:05.813 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"accept_language\": \"en\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "accept_language": "en","; line: 1, column: 21]>}
[WARN ] 2023-09-17 22:00:05.813 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"x-forwarded-for\": \"-\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "x-forwarded-for": "-","; line: 1, column: 21]>}
[WARN ] 2023-09-17 22:00:05.814 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"referrer\": \"-\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "referrer": "-","; line: 1, column: 14]>}
[WARN ] 2023-09-17 22:00:05.816 [[main]>worker2] json - Error parsing json {:source=>"message", :raw=>"  \"source_ip\": \"167.114.103.160\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "source_ip": "167.114.103.160","; line: 1, column: 15]>}
[WARN ] 2023-09-17 22:00:05.817 [[main]>worker2] json - Error parsing json {:source=>"message", :raw=>"  \"protocol\": \"https\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "protocol": "https","; line: 1, column: 14]>}
[WARN ] 2023-09-17 22:00:05.817 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"cookie\": \"-\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "cookie": "-","; line: 1, column: 12]>}
[WARN ] 2023-09-17 22:00:05.818 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"request_time\": \"0.031\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "request_time": "0.031","; line: 1, column: 18]>}
[WARN ] 2023-09-17 22:00:05.819 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"response_code\": 301,", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "response_code": 301,"; line: 1, column: 19]>}
[WARN ] 2023-09-17 22:00:05.819 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"http_bytes_in\": 437,", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "http_bytes_in": 437,"; line: 1, column: 19]>}
[WARN ] 2023-09-17 22:00:05.820 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"http_bytes_out\": 740,", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "http_bytes_out": 740,"; line: 1, column: 20]>}
[WARN ] 2023-09-17 22:00:05.821 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"country_code\": \"CA\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "country_code": "CA","; line: 1, column: 18]>}
[WARN ] 2023-09-17 22:00:05.821 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"action\": \"Allowed\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "action": "Allowed","; line: 1, column: 12]>}
[WARN ] 2023-09-17 22:00:05.822 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"application_id\": \"4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "application_id": "4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2","; line: 1, column: 20]>}
[WARN ] 2023-09-17 22:00:05.823 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"application_name\": \"exmaple\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "application_name": "exmaple","; line: 1, column: 22]>}
[WARN ] 2023-09-17 22:00:05.823 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"tenant_name\": \"exmaple\"", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "tenant_name": "exmaple""; line: 1, column: 17]>}
[WARN ] 2023-09-17 22:00:05.825 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"time\": \"12/Aug/2023:13:20:53 +0000\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "time": "12/Aug/2023:13:20:53 +0000","; line: 1, column: 10]>}
[WARN ] 2023-09-17 22:00:05.825 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"source_ip\": \"167.114.103.160\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "source_ip": "167.114.103.160","; line: 1, column: 15]>}
[WARN ] 2023-09-17 22:00:05.826 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"source_port\": 41860,", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "source_port": 41860,"; line: 1, column: 17]>}
[WARN ] 2023-09-17 22:00:05.827 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"destination_ip\": \"66.22.93.239\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "destination_ip": "66.22.93.239","; line: 1, column: 20]>}
[WARN ] 2023-09-17 22:00:05.832 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"destination_port\": 443,", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "destination_port": 443,"; line: 1, column: 22]>}
[WARN ] 2023-09-17 22:00:05.854 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"protocol\": \"https\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "protocol": "https","; line: 1, column: 14]>}
[WARN ] 2023-09-17 22:00:05.856 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"http_method\": \"GET\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "http_method": "GET","; line: 1, column: 17]>}
[WARN ] 2023-09-17 22:00:05.857 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"host\": \"www.exmaple.com\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "host": "www.exmaple.com","; line: 1, column: 10]>}
[WARN ] 2023-09-17 22:00:05.858 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"request\": \"GET /images/FEBRUARY_2017/Money-Today-21.02.17_e-Insurance.jpg HTTP/1.1\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "request": "GET /images/FEBRUARY_2017/Money-Today-21.02.17_e-Insurance.jpg HTTP/1.1","; line: 1, column: 13]>}
[WARN ] 2023-09-17 22:00:05.858 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"directory\": \"/images/FEBRUARY_2017\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "directory": "/images/FEBRUARY_2017","; line: 1, column: 15]>}
[WARN ] 2023-09-17 22:00:05.859 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"user_agent\": \"Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "user_agent": "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)","; line: 1, column: 16]>}
[WARN ] 2023-09-17 22:00:05.885 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"accept_language\": \"en\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "accept_language": "en","; line: 1, column: 21]>}
[WARN ] 2023-09-17 22:00:05.886 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"x-forwarded-for\": \"-\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "x-forwarded-for": "-","; line: 1, column: 21]>}
[WARN ] 2023-09-17 22:00:05.887 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"referrer\": \"-\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "referrer": "-","; line: 1, column: 14]>}
[WARN ] 2023-09-17 22:00:05.892 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"cookie\": \"-\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "cookie": "-","; line: 1, column: 12]>}
[WARN ] 2023-09-17 22:00:05.895 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"request_time\": \"0.570\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "request_time": "0.570","; line: 1, column: 18]>}
[WARN ] 2023-09-17 22:00:05.897 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"response_code\": 200,", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "response_code": 200,"; line: 1, column: 19]>}
[WARN ] 2023-09-17 22:00:05.898 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"http_bytes_in\": 430,", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "http_bytes_in": 430,"; line: 1, column: 19]>}
[WARN ] 2023-09-17 22:00:05.899 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"http_bytes_out\": 4078,", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "http_bytes_out": 4078,"; line: 1, column: 20]>}
[WARN ] 2023-09-17 22:00:05.899 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"country_code\": \"CA\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "country_code": "CA","; line: 1, column: 18]>}
[WARN ] 2023-09-17 22:00:05.900 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"action\": \"Allowed\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "action": "Allowed","; line: 1, column: 12]>}
[WARN ] 2023-09-17 22:00:05.905 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"application_id\": \"4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "application_id": "4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2","; line: 1, column: 20]>}
[WARN ] 2023-09-17 22:00:05.907 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"application_name\": \"exmaple\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "application_name": "exmaple","; line: 1, column: 22]>}
[WARN ] 2023-09-17 22:00:05.908 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"time\": \"12/Aug/2023:13:20:56 +0000\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "time": "12/Aug/2023:13:20:56 +0000","; line: 1, column: 10]>}
[WARN ] 2023-09-17 22:00:05.909 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"destination_port\": 443,", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "destination_port": 443,"; line: 1, column: 22]>}
{
    "@timestamp" => 2023-09-17T16:30:05.432Z,
      "@version" => "1",
       "message" => " },",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.438Z,
      "@version" => "1",
       "message" => "  \"source_port\": 44480,",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.442Z,
      "@version" => "1",
       "message" => "  \"http_method\": \"GET\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.386Z,
      "@version" => "1",
       "message" => " {",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.420Z,
      "@version" => "1",
       "message" => "  \"time\": \"12/Aug/2023:13:20:53 +0000\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.421Z,
      "@version" => "1",
       "message" => "  \"source_ip\": \"167.114.103.160\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.421Z,
      "@version" => "1",
       "message" => "  \"source_port\": 41860,",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.422Z,
      "@version" => "1",
       "message" => "  \"destination_ip\": \"66.22.93.239\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.422Z,
      "@version" => "1",
       "message" => "  \"destination_port\": 443,",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.422Z,
      "@version" => "1",
       "message" => "  \"protocol\": \"https\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.422Z,
      "@version" => "1",
       "message" => "  \"http_method\": \"GET\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.422Z,
      "@version" => "1",
       "message" => "  \"host\": \"www.exmaple.com\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.423Z,
      "@version" => "1",
       "message" => "  \"request\": \"GET /images/FEBRUARY_2017/Money-Today-21.02.17_e-Insurance.jpg HTTP/1.1\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.423Z,
      "@version" => "1",
       "message" => "  \"directory\": \"/images/FEBRUARY_2017\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.423Z,
      "@version" => "1",
       "message" => "  \"user_agent\": \"Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.423Z,
      "@version" => "1",
       "message" => "  \"accept_language\": \"en\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.423Z,
      "@version" => "1",
       "message" => "  \"x-forwarded-for\": \"-\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.424Z,
      "@version" => "1",
       "message" => "  \"referrer\": \"-\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.424Z,
      "@version" => "1",
       "message" => "  \"cookie\": \"-\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.424Z,
      "@version" => "1",
       "message" => "  \"request_time\": \"0.570\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.424Z,
      "@version" => "1",
       "message" => "  \"response_code\": 200,",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.424Z,
      "@version" => "1",
       "message" => "  \"http_bytes_in\": 430,",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.425Z,
      "@version" => "1",
       "message" => "  \"http_bytes_out\": 4078,",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.425Z,
      "@version" => "1",
       "message" => "  \"country_code\": \"CA\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.425Z,
      "@version" => "1",
       "message" => "  \"action\": \"Allowed\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.425Z,
      "@version" => "1",
       "message" => "  \"application_id\": \"4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.426Z,
      "@version" => "1",
       "message" => "  \"application_name\": \"exmaple\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.434Z,
      "@version" => "1",
       "message" => "  \"time\": \"12/Aug/2023:13:20:56 +0000\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.442Z,
      "@version" => "1",
       "message" => "  \"destination_port\": 443,",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.432Z,
      "@version" => "1",
       "message" => " {",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.439Z,
      "@version" => "1",
       "message" => "  \"destination_ip\": \"66.22.93.239\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.443Z,
      "@version" => "1",
       "message" => "  \"host\": \"exmaple.com\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.443Z,
      "@version" => "1",
       "message" => "  \"request\": \"GET /images/FEBRUARY_2017/Motor-Claim-Fire-Financial-Express-20.02.17.jpg HTTP/1.1\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.443Z,
      "@version" => "1",
       "message" => "  \"directory\": \"/images/FEBRUARY_2017\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.443Z,
      "@version" => "1",
       "message" => "  \"user_agent\": \"Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.443Z,
      "@version" => "1",
       "message" => "  \"accept_language\": \"en\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.443Z,
      "@version" => "1",
       "message" => "  \"x-forwarded-for\": \"-\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.444Z,
      "@version" => "1",
       "message" => "  \"referrer\": \"-\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.444Z,
      "@version" => "1",
       "message" => "  \"cookie\": \"-\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.444Z,
      "@version" => "1",
       "message" => "  \"request_time\": \"0.031\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.444Z,
      "@version" => "1",
       "message" => "  \"response_code\": 301,",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.444Z,
      "@version" => "1",
       "message" => "  \"http_bytes_in\": 437,",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.444Z,
      "@version" => "1",
       "message" => "  \"http_bytes_out\": 740,",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.444Z,
      "@version" => "1",
       "message" => "  \"country_code\": \"CA\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.445Z,
      "@version" => "1",
       "message" => "  \"action\": \"Allowed\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.445Z,
      "@version" => "1",
       "message" => "  \"application_id\": \"4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.445Z,
      "@version" => "1",
       "message" => "  \"application_name\": \"exmaple\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.445Z,
      "@version" => "1",
       "message" => "  \"tenant_name\": \"exmaple\"",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.430Z,
      "@version" => "1",
       "message" => "  \"tenant_name\": \"exmaple\"",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.436Z,
      "@version" => "1",
       "message" => "  \"source_ip\": \"167.114.103.160\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.442Z,
      "@version" => "1",
       "message" => "  \"protocol\": \"https\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}

Then I thought to use split filter

filter {
json { source => "message" target => "theJSON" }

split {
        field => "theJSON"
        }
}

Then getting below error

[WARN ] 2023-09-17 22:05:49.143 [[main]>worker0] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.150 [[main]>worker3] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.152 [[main]>worker1] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.152 [[main]>worker1] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.152 [[main]>worker1] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.152 [[main]>worker1] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.152 [[main]>worker1] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.153 [[main]>worker1] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.153 [[main]>worker0] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.153 [[main]>worker1] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.153 [[main]>worker0] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.153 [[main]>worker2] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.153 [[main]>worker2] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.154 [[main]>worker0] split - Only String and Array types are splittable. field:theJSON is of type = NilClass

Your multiline codec filter is not combining lines. Uncomment "negate => true". If it is still breaking the input up then perhaps increase the auto_flush_interval.

If I uncomment negate messages wont even get parsed

nput {
        stdin {
                codec => multiline {
                pattern => "^Spalanzani"
                negate => true
                what => "previous"
                auto_flush_interval => 10
                }
}
}

filter {
json { source => "message" target => "theJSON" }

split {
        field => "theJSON"
        }
}

output {
stdout { codec => rubydebug }
}

What I mean is messages does not get accepted in stdin

The pattern never matches, so it keeps combining lines into a single event. It should flush when the auto flush timer triggers, or when it reaches end-of-file.

A couple of questions, what is the source if those messages? It looks like an API response, how is the source data being generated?

Do you have any control on the source of the message to change the format?

Well the data is generated in s3buckets and we are eventually are thinking to pick it up from there.

Ok so you suggest instead of stdin try it out with file option?

Yes, that might help.

Still no luck with any of the option :frowning:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.