Json multiline codec is not working and messages are not getting parsed

Blason · September 16, 2023, 6:54am

Hi Team,

I an working on logstash json parser and messages are not getting parsed; any clue what could be wrong?
Here are original messages

[
 {
  "time": "12/Aug/2023:13:20:52 +0000",
  "source_ip": "117.193.217.44",
  "source_port": 58066,
  "destination_ip": "66.22.xx.xx",
  "destination_port": 443,
  "protocol": "https",
  "http_method": "GET",
  "host": "www.example.com",
  "request": "GET /motor-renewal/Scripts/Jquery/RenewalHome.js?_=1691846453034 HTTP/2.0",
  "directory": "/motor-renewal/Scripts/Jquery",
  "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
  "accept_language": "en-US,en;q=0.9",
  "x-forwarded-for": "-",
  "referrer": "https://www.example.com/motor-renewal/pages/",
  "cookie": "__uzma=1ac42b2d-b59c-4e60-b9a7-340b3cd49b49; __uzmb=1691845215; __uzme=0719; __ssds=2; __ssuzjsr2=a9be0cd8e; __uzmaj2=b6e7db09-044f-49b6-ad2d-4d47cff57210; __uzmbj2=1691845218; _ga=GA1.2.820918465.1691845220; _gid=GA1.2.1703387158.1691845220; __uzmc=706721950010; __uzmd=1691846420; __uzmf=7f6000e3e2d48e-083e-4ebd-93c6-c080319d586716918452157051205102-9fb45c4147ecba1d19; __uzmcj2=792351349890; __uzmdj2=1691846421; _ga_HT9FXR2ZV8=GS1.1.1691845219.1.1.1691846428.60.0.0; _ga_7RVQF8C3BY=GS1.1.1691845219.1.1.1691846428.60.0.0",
  "request_time": "0.339",
  "response_code": 200,
  "http_bytes_in": 221,
  "http_bytes_out": 824,
  "country_code": "UA",
  "action": "Allowed",
  "application_id": "4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2",
  "application_name": "example",
  "tenant_name": "example"
 },
 {
  "time": "12/Aug/2023:13:20:53 +0000",
  "source_ip": "167.114.103.160",
  "source_port": 41860,
  "destination_ip": "66.22.xx.xx",
  "destination_port": 443,
  "protocol": "https",
  "http_method": "GET",
  "host": "www.example.com",
  "request": "GET /images/FEBRUARY_2017/Money-Today-21.02.17_e-Insurance.jpg HTTP/1.1",
  "directory": "/images/FEBRUARY_2017",
  "user_agent": "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)",
  "accept_language": "en",
  "x-forwarded-for": "-",
  "referrer": "-",
  "cookie": "-",
  "request_time": "0.570",
  "response_code": 200,
  "http_bytes_in": 430,
  "http_bytes_out": 4078,
  "country_code": "CA",
  "action": "Allowed",
  "application_id": "4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2",
  "application_name": "example",
  "tenant_name": "example"
 },
 {
  "time": "12/Aug/2023:13:20:56 +0000",
  "source_ip": "167.114.103.160",
  "source_port": 44480,
  "destination_ip": "66.22.xx.xx",
  "destination_port": 443,
  "protocol": "https",
  "http_method": "GET",
  "host": "example.com",
  "request": "GET /images/FEBRUARY_2017/Motor-Claim-Fire-Financial-Express-20.02.17.jpg HTTP/1.1",
  "directory": "/images/FEBRUARY_2017",
  "user_agent": "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)",
  "accept_language": "en",
  "x-forwarded-for": "-",
  "referrer": "-",
  "cookie": "-",
  "request_time": "0.031",
  "response_code": 301,
  "http_bytes_in": 437,
  "http_bytes_out": 740,
  "country_code": "CA",
  "action": "Allowed",
  "application_id": "4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2",
  "application_name": "example",
  "tenant_name": "example"
 }
]

And here are my parsers

input {
        stdin {
                codec => multiline {
                pattern => "^\{"
#               negate => true
                what => "previous"
                }
        }
}

filter {
        mutate {
#       replace => [ "message", "%{message}" ]
        gsub => [ 'message','\,','']
        gsub => [ 'message','\n','']
        }
        if [message] =~ /^{.*}$/ {
        json {
        source => "message"
                }
        }
        }
output {
        stdout { codec => rubydebug  }
        }
```
Messages are then not getting parsed correctly

Badger · September 16, 2023, 2:58pm

Your sample data does not contain any lines that match '^{'. Even if it did, deleting all the commas in the JSON would cause the parser to fail.

If you add auto_flush_interval => 2 to the codec then it will consume all of the data as a single event. You could then use

json { source => "message" target => "theJSON" }

You might then want to a split filter, since [theJSON] will be an array.

Blason · September 16, 2023, 3:39pm

Let me try though - So auto_flush_interval => 2 in Input codec?

Blason · September 17, 2023, 5:05am

@Badger Same issue - Still no luck

Badger · September 17, 2023, 3:03pm

Did you remove the mutates and the conditional around the json filter? If not, you should try doing so.

Blason · September 17, 2023, 3:23pm

nah

nah man - No luck and yes I tried that

input {
        stdin {
                codec => multiline {
                pattern => "\,"
#               negate => true
                what => "previous"
                auto_flush_interval => 2
                }
}
}

filter {
json { source => "message" target => "theJSON" }
        }


output {
stdout { codec => rubydebug }
}

Here are the messages being parsed

[INFO ] 2023-09-17 20:50:00.769 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9602}
 {
  "time": "12/Aug/2023:13:20:52 +0000",
  "source_ip": "117.193.217.44",
  "source_port": 58066,
  "destination_ip": "66.22.xx.xx",
  "destination_port": 443,
  "protocol": "https",
  "http_method": "GET",
  "host": "www.example.com",
  "request": "GET /motor-renewal/Scripts/Jquery/RenewalHome.js?_=1691846453034 HTTP/2.0",
  "directory": "/motor-renewal/Scripts/Jquery",
  "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
  "accept_language": "en-US,en;q=0.9",
  "x-forwarded-for": "-",
  "referrer": "https://www.example.com/motor-renewal/pages/",
  "cookie": "__uzma=1ac42b2d-b59c-4e60-b9a7-340b3cd49b49; __uzmb=1691845215; __uzme=0719; __ssds=2; __ssuzjsr2=a9be0cd8e; __uzmaj2=b6e7db09-044f-49b6-ad2d-4d47cff57210; __uzmbj2=1691845218; _ga=GA1.2.820918465.1691845220; _gid=GA1.2.1703387158.1691845220; __uzmc=706721950010; __uzmd=1691846420; __uzmf=7f6000e3e2d48e-083e-4ebd-93c6-c080319d586716918452157051205102-9fb45c4147ecba1d19; __uzmcj2=792351349890; __uzmdj2=1691846421; _ga_HT9FXR2ZV8=GS1.1.1691845219.1.1.1691846428.60.0.0; _ga_7RVQF8C3BY=GS1.1.1691845219.1.1.1691846428.60.0.0",
  "request_time": "0.339",
  "response_code": 200,
  "http_bytes_in": 221,
  "http_bytes_out": 824,
  "country_code": "IN",
  "action": "Allowed",
  "application_id": "4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2",
  "application_name": "example",
  "tenant_name": "example"
 },
 {
  "time": "12/Aug/2023:13:20:53 +0000",
  "source_ip": "167.114.103.160",
  "source_port": 41860,
  "destination_ip": "66.22.xx.xx",
  "destination_port": 443,
  "protocol": "https",
  "http_method": "GET",
  "host": "www.example.com",
  "request": "GET /images/FEBRUARY_2017/Money-Today-21.02.17_e-Insurance.jpg HTTP/1.1",
  "directory": "/images/FEBRUARY_2017",
  "user_agent": "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)",
  "accept_language": "en",
  "x-forwarded-for": "-",
  "referrer": "-",
  "cookie": "-",
  "request_time": "0.570",
  "response_code": 200,
  "http_bytes_in": 430,
  "http_bytes_out": 4078,
  "country_code": "CA",
  "action": "Allowed",
  "application_id": "4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2",
  "application_name": "example",
  "tenant_name": "example"
 },
 {
  "time": "12/Aug/2023:13:20:56 +0000",
  "source_ip": "167.114.103.160",
  "source_port": 44480,
  "destination_ip": "66.22.xx.xx",
  "destination_port": 443,
  "protocol": "https",
  "http_method": "GET",
  "host": "example.com",
  "request": "GET /images/FEBRUARY_2017/Motor-Claim-Fire-Financial-Express-20.02.17.jpg HTTP/1.1",
  "directory": "/images/FEBRUARY_2017",
  "user_agent": "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)",
  "accept_language": "en",
  "x-forwarded-for": "-",
  "referrer": "-",
  "cookie": "-",
  "request_time": "0.031",
  "response_code": 301,
  "http_bytes_in": 437,
  "http_bytes_out": 740,
  "country_code": "CA",
  "action": "Allowed",
  "application_id": "4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2",
  "application_name": "example",
  "tenant_name": "example"
 }
[WARN ] 2023-09-17 20:50:17.631 [[main]>worker2] json - Error parsing json {:source=>"message", :raw=>"  \"tenant_name\": \"example\"\n },", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "tenant_name": "example"
 },"; line: 1, column: 17]>}
[WARN ] 2023-09-17 20:50:17.639 [[main]>worker3] json - Error parsing json {:source=>"message", :raw=>"  \"tenant_name\": \"example\"\n },", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "tenant_name": "example"
 },"; line: 1, column: 17]>}
[WARN ] 2023-09-17 20:50:17.640 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>" {\n  \"time\": \"12/Aug/2023:13:20:52 +0000\",\n  \"source_ip\": \"117.193.217.44\",\n  \"source_port\": 58066,\n  \"destination_ip\": \"66.22.xx.xx\",\n  \"destination_port\": 443,\n  \"protocol\": \"https\",\n  \"http_method\": \"GET\",\n  \"host\": \"www.example.com\",\n  \"request\": \"GET /motor-renewal/Scripts/Jquery/RenewalHome.js?_=1691846453034 HTTP/2.0\",\n  \"directory\": \"/motor-renewal/Scripts/Jquery\",\n  \"user_agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36\",\n  \"accept_language\": \"en-US,en;q=0.9\",\n  \"x-forwarded-for\": \"-\",\n  \"referrer\": \"https://www.example.com/motor-renewal/pages/\",\n  \"cookie\": \"__uzma=1ac42b2d-b59c-4e60-b9a7-340b3cd49b49; __uzmb=1691845215; __uzme=0719; __ssds=2; __ssuzjsr2=a9be0cd8e; __uzmaj2=b6e7db09-044f-49b6-ad2d-4d47cff57210; __uzmbj2=1691845218; _ga=GA1.2.820918465.1691845220; _gid=GA1.2.1703387158.1691845220; __uzmc=706721950010; __uzmd=1691846420; __uzmf=7f6000e3e2d48e-083e-4ebd-93c6-c080319d586716918452157051205102-9fb45c4147ecba1d19; __uzmcj2=792351349890; __uzmdj2=1691846421; _ga_HT9FXR2ZV8=GS1.1.1691845219.1.1.1691846428.60.0.0; _ga_7RVQF8C3BY=GS1.1.1691845219.1.1.1691846428.60.0.0\",\n  \"request_time\": \"0.339\",\n  \"response_code\": 200,\n  \"http_bytes_in\": 221,\n  \"http_bytes_out\": 824,\n  \"country_code\": \"IN\",\n  \"action\": \"Allowed\",\n  \"application_id\": \"4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2\",\n  \"application_name\": \"example\",", :exception=>#<LogStash::Json::ParserError: Unexpected end-of-input within/between Object entries
 at [Source: (byte[])" {
  "time": "12/Aug/2023:13:20:52 +0000",
  "source_ip": "117.193.217.44",
  "source_port": 58066,
  "destination_ip": "66.22.xx.xx",
  "destination_port": 443,
  "protocol": "https",
  "http_method": "GET",
  "host": "www.example.com",
  "request": "GET /motor-renewal/Scripts/Jquery/RenewalHome.js?_=1691846453034 HTTP/2.0",
  "directory": "/motor-renewal/Scripts/Jquery",
  "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 S"[truncated 936 bytes]; line: 24, column: 1476]>}
[WARN ] 2023-09-17 20:50:17.641 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>" {\n  \"time\": \"12/Aug/2023:13:20:53 +0000\",\n  \"source_ip\": \"167.114.103.160\",\n  \"source_port\": 41860,\n  \"destination_ip\": \"66.22.xx.xx\",\n  \"destination_port\": 443,\n  \"protocol\": \"https\",\n  \"http_method\": \"GET\",\n  \"host\": \"www.example.com\",\n  \"request\": \"GET /images/FEBRUARY_2017/Money-Today-21.02.17_e-Insurance.jpg HTTP/1.1\",\n  \"directory\": \"/images/FEBRUARY_2017\",\n  \"user_agent\": \"Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)\",\n  \"accept_language\": \"en\",\n  \"x-forwarded-for\": \"-\",\n  \"referrer\": \"-\",\n  \"cookie\": \"-\",\n  \"request_time\": \"0.570\",\n  \"response_code\": 200,\n  \"http_bytes_in\": 430,\n  \"http_bytes_out\": 4078,\n  \"country_code\": \"CA\",\n  \"action\": \"Allowed\",\n  \"application_id\": \"4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2\",\n  \"application_name\": \"example\",", :exception=>#<LogStash::Json::ParserError: Unexpected end-of-input within/between Object entries
 at [Source: (byte[])" {
  "time": "12/Aug/2023:13:20:53 +0000",
  "source_ip": "167.114.103.160",
  "source_port": 41860,
  "destination_ip": "66.22.xx.xx",
  "destination_port": 443,
  "protocol": "https",
  "http_method": "GET",
  "host": "www.example.com",
  "request": "GET /images/FEBRUARY_2017/Money-Today-21.02.17_e-Insurance.jpg HTTP/1.1",
  "directory": "/images/FEBRUARY_2017",
  "user_agent": "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)",
  "accept_language": "en",
  "x-forwarded-fo"[truncated 292 bytes]; line: 24, column: 832]>}
[WARN ] 2023-09-17 20:50:17.645 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>" {\n  \"time\": \"12/Aug/2023:13:20:56 +0000\",\n  \"source_ip\": \"167.114.103.160\",\n  \"source_port\": 44480,\n  \"destination_ip\": \"66.22.xx.xx\",\n  \"destination_port\": 443,\n  \"protocol\": \"https\",\n  \"http_method\": \"GET\",\n  \"host\": \"example.com\",\n  \"request\": \"GET /images/FEBRUARY_2017/Motor-Claim-Fire-Financial-Express-20.02.17.jpg HTTP/1.1\",\n  \"directory\": \"/images/FEBRUARY_2017\",\n  \"user_agent\": \"Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)\",\n  \"accept_language\": \"en\",\n  \"x-forwarded-for\": \"-\",\n  \"referrer\": \"-\",\n  \"cookie\": \"-\",\n  \"request_time\": \"0.031\",\n  \"response_code\": 301,\n  \"http_bytes_in\": 437,\n  \"http_bytes_out\": 740,\n  \"country_code\": \"CA\",\n  \"action\": \"Allowed\",\n  \"application_id\": \"4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2\",\n  \"application_name\": \"example\",", :exception=>#<LogStash::Json::ParserError: Unexpected end-of-input within/between Object entries
 at [Source: (byte[])" {
  "time": "12/Aug/2023:13:20:56 +0000",
  "source_ip": "167.114.103.160",
  "source_port": 44480,
  "destination_ip": "66.22.xx.xx",
  "destination_port": 443,
  "protocol": "https",
  "http_method": "GET",
  "host": "example.com",
  "request": "GET /images/FEBRUARY_2017/Motor-Claim-Fire-Financial-Express-20.02.17.jpg HTTP/1.1",
  "directory": "/images/FEBRUARY_2017",
  "user_agent": "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)",
  "accept_language": "en",
  "x-forwa"[truncated 298 bytes]; line: 24, column: 838]>}
[WARN ] 2023-09-17 20:50:17.646 [[main]>worker3] json - Error parsing json {:source=>"message", :raw=>"  \"tenant_name\": \"example\"", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "tenant_name": "example""; line: 1, column: 17]>}
{
          "tags" => [
        [0] "multiline",
        [1] "_jsonparsefailure"
    ],
      "@version" => "1",
          "host" => "traplox",
    "@timestamp" => 2023-09-17T15:20:17.313Z,
       "message" => "  \"tenant_name\": \"example\"\n },"
}
{
          "tags" => [
        [0] "multiline",
        [1] "_jsonparsefailure"
    ],
      "@version" => "1",
          "host" => "traplox",
    "@timestamp" => 2023-09-17T15:20:17.309Z,
       "message" => "  \"tenant_name\": \"example\"\n },"
}
{
          "tags" => [
        [0] "_jsonparsefailure"
    ],
      "@version" => "1",
          "host" => "traplox",
    "@timestamp" => 2023-09-17T15:20:17.321Z,
       "message" => "  \"tenant_name\": \"example\""
}
{
          "tags" => [
        [0] "multiline",
        [1] "_jsonparsefailure"
    ],
      "@version" => "1",
          "host" => "traplox",
    "@timestamp" => 2023-09-17T15:20:17.290Z,
       "message" => " {\n  \"time\": \"12/Aug/2023:13:20:52 +0000\",\n  \"source_ip\": \"117.193.217.44\",\n  \"source_port\": 58066,\n  \"destination_ip\": \"66.22.xx.xx\",\n  \"destination_port\": 443,\n  \"protocol\": \"https\",\n  \"http_method\": \"GET\",\n  \"host\": \"www.example.com\",\n  \"request\": \"GET /motor-renewal/Scripts/Jquery/RenewalHome.js?_=1691846453034 HTTP/2.0\",\n  \"directory\": \"/motor-renewal/Scripts/Jquery\",\n  \"user_agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36\",\n  \"accept_language\": \"en-US,en;q=0.9\",\n  \"x-forwarded-for\": \"-\",\n  \"referrer\": \"https://www.example.com/motor-renewal/pages/\",\n  \"cookie\": \"__uzma=1ac42b2d-b59c-4e60-b9a7-340b3cd49b49; __uzmb=1691845215; __uzme=0719; __ssds=2; __ssuzjsr2=a9be0cd8e; __uzmaj2=b6e7db09-044f-49b6-ad2d-4d47cff57210; __uzmbj2=1691845218; _ga=GA1.2.820918465.1691845220; _gid=GA1.2.1703387158.1691845220; __uzmc=706721950010; __uzmd=1691846420; __uzmf=7f6000e3e2d48e-083e-4ebd-93c6-c080319d586716918452157051205102-9fb45c4147ecba1d19; __uzmcj2=792351349890; __uzmdj2=1691846421; _ga_HT9FXR2ZV8=GS1.1.1691845219.1.1.1691846428.60.0.0; _ga_7RVQF8C3BY=GS1.1.1691845219.1.1.1691846428.60.0.0\",\n  \"request_time\": \"0.339\",\n  \"response_code\": 200,\n  \"http_bytes_in\": 221,\n  \"http_bytes_out\": 824,\n  \"country_code\": \"IN\",\n  \"action\": \"Allowed\",\n  \"application_id\": \"4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2\",\n  \"application_name\": \"example\","
}
{
          "tags" => [
        [0] "multiline",
        [1] "_jsonparsefailure"
    ],
      "@version" => "1",
          "host" => "traplox",
    "@timestamp" => 2023-09-17T15:20:17.319Z,
       "message" => " {\n  \"time\": \"12/Aug/2023:13:20:56 +0000\",\n  \"source_ip\": \"167.114.103.160\",\n  \"source_port\": 44480,\n  \"destination_ip\": \"66.22.xx.xx\",\n  \"destination_port\": 443,\n  \"protocol\": \"https\",\n  \"http_method\": \"GET\",\n  \"host\": \"example.com\",\n  \"request\": \"GET /images/FEBRUARY_2017/Motor-Claim-Fire-Financial-Express-20.02.17.jpg HTTP/1.1\",\n  \"directory\": \"/images/FEBRUARY_2017\",\n  \"user_agent\": \"Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)\",\n  \"accept_language\": \"en\",\n  \"x-forwarded-for\": \"-\",\n  \"referrer\": \"-\",\n  \"cookie\": \"-\",\n  \"request_time\": \"0.031\",\n  \"response_code\": 301,\n  \"http_bytes_in\": 437,\n  \"http_bytes_out\": 740,\n  \"country_code\": \"CA\",\n  \"action\": \"Allowed\",\n  \"application_id\": \"4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2\",\n  \"application_name\": \"example\","
}
{
          "tags" => [
        [0] "multiline",
        [1] "_jsonparsefailure"
    ],
      "@version" => "1",
          "host" => "traplox",
    "@timestamp" => 2023-09-17T15:20:17.313Z,
       "message" => " {\n  \"time\": \"12/Aug/2023:13:20:53 +0000\",\n  \"source_ip\": \"167.114.103.160\",\n  \"source_port\": 41860,\n  \"destination_ip\": \"66.22.xx.xx\",\n  \"destination_port\": 443,\n  \"protocol\": \"https\",\n  \"http_method\": \"GET\",\n  \"host\": \"www.example.com\",\n  \"request\": \"GET /images/FEBRUARY_2017/Money-Today-21.02.17_e-Insurance.jpg HTTP/1.1\",\n  \"directory\": \"/images/FEBRUARY_2017\",\n  \"user_agent\": \"Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)\",\n  \"accept_language\": \"en\",\n  \"x-forwarded-for\": \"-\",\n  \"referrer\": \"-\",\n  \"cookie\": \"-\",\n  \"request_time\": \"0.570\",\n  \"response_code\": 200,\n  \"http_bytes_in\": 430,\n  \"http_bytes_out\": 4078,\n  \"country_code\": \"CA\",\n  \"action\": \"Allowed\",\n  \"application_id\": \"4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2\",\n  \"application_name\": \"example\","
}
^C[WARN ] 2023-09-17 20:50:45.040 [SIGINT handler] runner - SIGINT received. Shutting down.
[INFO ] 2023-09-17 20:50:46.142 [Converge PipelineAction::Stop<main>] javapipeline - Pipeline terminated {"pipeline.id"=>"main"}
[INFO ] 2023-09-17 20:50:46.203 [LogStash::Runner] runner - Logstash shut down.

Badger · September 17, 2023, 4:17pm

Your original pattern would never match the log file, so the entire file would be consumed as a single event. You are now using a pattern "\," which will match and will chop the log entries up into chunks that are not valid JSON. Try using pattern => "^Spalanzani" to make sure it never matches.

Blason · September 17, 2023, 4:28pm

Let me try commenting it.

EDIT: Yeah It need Pattern parameter

Blason · September 17, 2023, 4:36pm

Argh - Nope

input {
        stdin {
                codec => multiline {
                pattern => "^Spalanzani"
#               negate => true
                what => "previous"
                auto_flush_interval => 2
                }
}
}

filter {
json { source => "message" target => "theJSON" }
        }


output {
stdout { codec => rubydebug }
}

Same issue

[WARN ] 2023-09-17 22:00:05.798 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>" {", :exception=>#<LogStash::Json::ParserError: Unexpected end-of-input: expected close marker for Object (start marker at [Source: (byte[])" {"; line: 1, column: 2])
 at [Source: (byte[])" {"; line: 1, column: 5]>}
[WARN ] 2023-09-17 22:00:05.801 [[main]>worker3] json - Error parsing json {:source=>"message", :raw=>" },", :exception=>#<LogStash::Json::ParserError: Unexpected close marker '}': expected ']' (for root starting at [Source: (byte[])" },"; line: 1, column: 0])
 at [Source: (byte[])" },"; line: 1, column: 3]>}
[WARN ] 2023-09-17 22:00:05.801 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>" {", :exception=>#<LogStash::Json::ParserError: Unexpected end-of-input: expected close marker for Object (start marker at [Source: (byte[])" {"; line: 1, column: 2])
 at [Source: (byte[])" {"; line: 1, column: 5]>}
[WARN ] 2023-09-17 22:00:05.802 [[main]>worker2] json - Error parsing json {:source=>"message", :raw=>"  \"tenant_name\": \"exmaple\"", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "tenant_name": "exmaple""; line: 1, column: 17]>}
[WARN ] 2023-09-17 22:00:05.805 [[main]>worker3] json - Error parsing json {:source=>"message", :raw=>"  \"source_port\": 44480,", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "source_port": 44480,"; line: 1, column: 17]>}
[WARN ] 2023-09-17 22:00:05.806 [[main]>worker3] json - Error parsing json {:source=>"message", :raw=>"  \"http_method\": \"GET\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "http_method": "GET","; line: 1, column: 17]>}
[WARN ] 2023-09-17 22:00:05.809 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"destination_ip\": \"66.22.93.239\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "destination_ip": "66.22.93.239","; line: 1, column: 20]>}
[WARN ] 2023-09-17 22:00:05.809 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"host\": \"exmaple.com\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "host": "exmaple.com","; line: 1, column: 10]>}
[WARN ] 2023-09-17 22:00:05.811 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"request\": \"GET /images/FEBRUARY_2017/Motor-Claim-Fire-Financial-Express-20.02.17.jpg HTTP/1.1\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "request": "GET /images/FEBRUARY_2017/Motor-Claim-Fire-Financial-Express-20.02.17.jpg HTTP/1.1","; line: 1, column: 13]>}
[WARN ] 2023-09-17 22:00:05.811 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"directory\": \"/images/FEBRUARY_2017\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "directory": "/images/FEBRUARY_2017","; line: 1, column: 15]>}
[WARN ] 2023-09-17 22:00:05.812 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"user_agent\": \"Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "user_agent": "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)","; line: 1, column: 16]>}
[WARN ] 2023-09-17 22:00:05.813 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"accept_language\": \"en\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "accept_language": "en","; line: 1, column: 21]>}
[WARN ] 2023-09-17 22:00:05.813 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"x-forwarded-for\": \"-\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "x-forwarded-for": "-","; line: 1, column: 21]>}
[WARN ] 2023-09-17 22:00:05.814 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"referrer\": \"-\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "referrer": "-","; line: 1, column: 14]>}
[WARN ] 2023-09-17 22:00:05.816 [[main]>worker2] json - Error parsing json {:source=>"message", :raw=>"  \"source_ip\": \"167.114.103.160\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "source_ip": "167.114.103.160","; line: 1, column: 15]>}
[WARN ] 2023-09-17 22:00:05.817 [[main]>worker2] json - Error parsing json {:source=>"message", :raw=>"  \"protocol\": \"https\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "protocol": "https","; line: 1, column: 14]>}
[WARN ] 2023-09-17 22:00:05.817 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"cookie\": \"-\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "cookie": "-","; line: 1, column: 12]>}
[WARN ] 2023-09-17 22:00:05.818 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"request_time\": \"0.031\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "request_time": "0.031","; line: 1, column: 18]>}
[WARN ] 2023-09-17 22:00:05.819 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"response_code\": 301,", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "response_code": 301,"; line: 1, column: 19]>}
[WARN ] 2023-09-17 22:00:05.819 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"http_bytes_in\": 437,", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "http_bytes_in": 437,"; line: 1, column: 19]>}
[WARN ] 2023-09-17 22:00:05.820 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"http_bytes_out\": 740,", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "http_bytes_out": 740,"; line: 1, column: 20]>}
[WARN ] 2023-09-17 22:00:05.821 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"country_code\": \"CA\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "country_code": "CA","; line: 1, column: 18]>}
[WARN ] 2023-09-17 22:00:05.821 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"action\": \"Allowed\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "action": "Allowed","; line: 1, column: 12]>}
[WARN ] 2023-09-17 22:00:05.822 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"application_id\": \"4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "application_id": "4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2","; line: 1, column: 20]>}
[WARN ] 2023-09-17 22:00:05.823 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"application_name\": \"exmaple\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "application_name": "exmaple","; line: 1, column: 22]>}
[WARN ] 2023-09-17 22:00:05.823 [[main]>worker1] json - Error parsing json {:source=>"message", :raw=>"  \"tenant_name\": \"exmaple\"", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "tenant_name": "exmaple""; line: 1, column: 17]>}
[WARN ] 2023-09-17 22:00:05.825 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"time\": \"12/Aug/2023:13:20:53 +0000\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "time": "12/Aug/2023:13:20:53 +0000","; line: 1, column: 10]>}
[WARN ] 2023-09-17 22:00:05.825 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"source_ip\": \"167.114.103.160\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "source_ip": "167.114.103.160","; line: 1, column: 15]>}
[WARN ] 2023-09-17 22:00:05.826 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"source_port\": 41860,", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "source_port": 41860,"; line: 1, column: 17]>}
[WARN ] 2023-09-17 22:00:05.827 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"destination_ip\": \"66.22.93.239\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "destination_ip": "66.22.93.239","; line: 1, column: 20]>}
[WARN ] 2023-09-17 22:00:05.832 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"destination_port\": 443,", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "destination_port": 443,"; line: 1, column: 22]>}
[WARN ] 2023-09-17 22:00:05.854 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"protocol\": \"https\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "protocol": "https","; line: 1, column: 14]>}
[WARN ] 2023-09-17 22:00:05.856 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"http_method\": \"GET\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "http_method": "GET","; line: 1, column: 17]>}
[WARN ] 2023-09-17 22:00:05.857 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"host\": \"www.exmaple.com\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "host": "www.exmaple.com","; line: 1, column: 10]>}
[WARN ] 2023-09-17 22:00:05.858 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"request\": \"GET /images/FEBRUARY_2017/Money-Today-21.02.17_e-Insurance.jpg HTTP/1.1\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "request": "GET /images/FEBRUARY_2017/Money-Today-21.02.17_e-Insurance.jpg HTTP/1.1","; line: 1, column: 13]>}
[WARN ] 2023-09-17 22:00:05.858 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"directory\": \"/images/FEBRUARY_2017\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "directory": "/images/FEBRUARY_2017","; line: 1, column: 15]>}
[WARN ] 2023-09-17 22:00:05.859 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"user_agent\": \"Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "user_agent": "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)","; line: 1, column: 16]>}
[WARN ] 2023-09-17 22:00:05.885 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"accept_language\": \"en\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "accept_language": "en","; line: 1, column: 21]>}
[WARN ] 2023-09-17 22:00:05.886 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"x-forwarded-for\": \"-\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "x-forwarded-for": "-","; line: 1, column: 21]>}
[WARN ] 2023-09-17 22:00:05.887 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"referrer\": \"-\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "referrer": "-","; line: 1, column: 14]>}
[WARN ] 2023-09-17 22:00:05.892 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"cookie\": \"-\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "cookie": "-","; line: 1, column: 12]>}
[WARN ] 2023-09-17 22:00:05.895 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"request_time\": \"0.570\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "request_time": "0.570","; line: 1, column: 18]>}
[WARN ] 2023-09-17 22:00:05.897 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"response_code\": 200,", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "response_code": 200,"; line: 1, column: 19]>}
[WARN ] 2023-09-17 22:00:05.898 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"http_bytes_in\": 430,", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "http_bytes_in": 430,"; line: 1, column: 19]>}
[WARN ] 2023-09-17 22:00:05.899 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"http_bytes_out\": 4078,", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "http_bytes_out": 4078,"; line: 1, column: 20]>}
[WARN ] 2023-09-17 22:00:05.899 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"country_code\": \"CA\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "country_code": "CA","; line: 1, column: 18]>}
[WARN ] 2023-09-17 22:00:05.900 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"action\": \"Allowed\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "action": "Allowed","; line: 1, column: 12]>}
[WARN ] 2023-09-17 22:00:05.905 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"application_id\": \"4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "application_id": "4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2","; line: 1, column: 20]>}
[WARN ] 2023-09-17 22:00:05.907 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"application_name\": \"exmaple\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "application_name": "exmaple","; line: 1, column: 22]>}
[WARN ] 2023-09-17 22:00:05.908 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"time\": \"12/Aug/2023:13:20:56 +0000\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "time": "12/Aug/2023:13:20:56 +0000","; line: 1, column: 10]>}
[WARN ] 2023-09-17 22:00:05.909 [[main]>worker0] json - Error parsing json {:source=>"message", :raw=>"  \"destination_port\": 443,", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "destination_port": 443,"; line: 1, column: 22]>}
{
    "@timestamp" => 2023-09-17T16:30:05.432Z,
      "@version" => "1",
       "message" => " },",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.438Z,
      "@version" => "1",
       "message" => "  \"source_port\": 44480,",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.442Z,
      "@version" => "1",
       "message" => "  \"http_method\": \"GET\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.386Z,
      "@version" => "1",
       "message" => " {",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.420Z,
      "@version" => "1",
       "message" => "  \"time\": \"12/Aug/2023:13:20:53 +0000\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.421Z,
      "@version" => "1",
       "message" => "  \"source_ip\": \"167.114.103.160\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.421Z,
      "@version" => "1",
       "message" => "  \"source_port\": 41860,",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.422Z,
      "@version" => "1",
       "message" => "  \"destination_ip\": \"66.22.93.239\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.422Z,
      "@version" => "1",
       "message" => "  \"destination_port\": 443,",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.422Z,
      "@version" => "1",
       "message" => "  \"protocol\": \"https\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.422Z,
      "@version" => "1",
       "message" => "  \"http_method\": \"GET\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.422Z,
      "@version" => "1",
       "message" => "  \"host\": \"www.exmaple.com\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.423Z,
      "@version" => "1",
       "message" => "  \"request\": \"GET /images/FEBRUARY_2017/Money-Today-21.02.17_e-Insurance.jpg HTTP/1.1\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.423Z,
      "@version" => "1",
       "message" => "  \"directory\": \"/images/FEBRUARY_2017\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.423Z,
      "@version" => "1",
       "message" => "  \"user_agent\": \"Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.423Z,
      "@version" => "1",
       "message" => "  \"accept_language\": \"en\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.423Z,
      "@version" => "1",
       "message" => "  \"x-forwarded-for\": \"-\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.424Z,
      "@version" => "1",
       "message" => "  \"referrer\": \"-\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.424Z,
      "@version" => "1",
       "message" => "  \"cookie\": \"-\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.424Z,
      "@version" => "1",
       "message" => "  \"request_time\": \"0.570\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.424Z,
      "@version" => "1",
       "message" => "  \"response_code\": 200,",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.424Z,
      "@version" => "1",
       "message" => "  \"http_bytes_in\": 430,",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.425Z,
      "@version" => "1",
       "message" => "  \"http_bytes_out\": 4078,",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.425Z,
      "@version" => "1",
       "message" => "  \"country_code\": \"CA\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.425Z,
      "@version" => "1",
       "message" => "  \"action\": \"Allowed\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.425Z,
      "@version" => "1",
       "message" => "  \"application_id\": \"4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.426Z,
      "@version" => "1",
       "message" => "  \"application_name\": \"exmaple\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.434Z,
      "@version" => "1",
       "message" => "  \"time\": \"12/Aug/2023:13:20:56 +0000\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.442Z,
      "@version" => "1",
       "message" => "  \"destination_port\": 443,",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.432Z,
      "@version" => "1",
       "message" => " {",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.439Z,
      "@version" => "1",
       "message" => "  \"destination_ip\": \"66.22.93.239\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.443Z,
      "@version" => "1",
       "message" => "  \"host\": \"exmaple.com\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.443Z,
      "@version" => "1",
       "message" => "  \"request\": \"GET /images/FEBRUARY_2017/Motor-Claim-Fire-Financial-Express-20.02.17.jpg HTTP/1.1\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.443Z,
      "@version" => "1",
       "message" => "  \"directory\": \"/images/FEBRUARY_2017\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.443Z,
      "@version" => "1",
       "message" => "  \"user_agent\": \"Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.443Z,
      "@version" => "1",
       "message" => "  \"accept_language\": \"en\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.443Z,
      "@version" => "1",
       "message" => "  \"x-forwarded-for\": \"-\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.444Z,
      "@version" => "1",
       "message" => "  \"referrer\": \"-\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.444Z,
      "@version" => "1",
       "message" => "  \"cookie\": \"-\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.444Z,
      "@version" => "1",
       "message" => "  \"request_time\": \"0.031\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.444Z,
      "@version" => "1",
       "message" => "  \"response_code\": 301,",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.444Z,
      "@version" => "1",
       "message" => "  \"http_bytes_in\": 437,",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.444Z,
      "@version" => "1",
       "message" => "  \"http_bytes_out\": 740,",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.444Z,
      "@version" => "1",
       "message" => "  \"country_code\": \"CA\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.445Z,
      "@version" => "1",
       "message" => "  \"action\": \"Allowed\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.445Z,
      "@version" => "1",
       "message" => "  \"application_id\": \"4de48c5d-becc-49a3-bbf8-5fc57ff2e3c2\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.445Z,
      "@version" => "1",
       "message" => "  \"application_name\": \"exmaple\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.445Z,
      "@version" => "1",
       "message" => "  \"tenant_name\": \"exmaple\"",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.430Z,
      "@version" => "1",
       "message" => "  \"tenant_name\": \"exmaple\"",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.436Z,
      "@version" => "1",
       "message" => "  \"source_ip\": \"167.114.103.160\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}
{
    "@timestamp" => 2023-09-17T16:30:05.442Z,
      "@version" => "1",
       "message" => "  \"protocol\": \"https\",",
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "traplox"
}

Then I thought to use split filter

filter {
json { source => "message" target => "theJSON" }

split {
        field => "theJSON"
        }
}

Then getting below error

[WARN ] 2023-09-17 22:05:49.143 [[main]>worker0] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.150 [[main]>worker3] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.152 [[main]>worker1] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.152 [[main]>worker1] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.152 [[main]>worker1] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.152 [[main]>worker1] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.152 [[main]>worker1] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.153 [[main]>worker1] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.153 [[main]>worker0] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.153 [[main]>worker1] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.153 [[main]>worker0] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.153 [[main]>worker2] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.153 [[main]>worker2] split - Only String and Array types are splittable. field:theJSON is of type = NilClass
[WARN ] 2023-09-17 22:05:49.154 [[main]>worker0] split - Only String and Array types are splittable. field:theJSON is of type = NilClass

Badger · September 17, 2023, 4:51pm

Blason:

Error parsing json {:source=>"message", :raw=>"  \"source_ip\": \"167.114.103.160\",", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: (byte[])"  "source_ip": "167.114.103.160",";

Your multiline codec filter is not combining lines. Uncomment "negate => true". If it is still breaking the input up then perhaps increase the auto_flush_interval.

Blason · September 17, 2023, 5:01pm

If I uncomment negate messages wont even get parsed

nput {
        stdin {
                codec => multiline {
                pattern => "^Spalanzani"
                negate => true
                what => "previous"
                auto_flush_interval => 10
                }
}
}

filter {
json { source => "message" target => "theJSON" }

split {
        field => "theJSON"
        }
}

output {
stdout { codec => rubydebug }
}

What I mean is messages does not get accepted in stdin

Badger · September 17, 2023, 5:20pm

The pattern never matches, so it keeps combining lines into a single event. It should flush when the auto flush timer triggers, or when it reaches end-of-file.

leandrojmp · September 17, 2023, 5:20pm

A couple of questions, what is the source if those messages? It looks like an API response, how is the source data being generated?

Do you have any control on the source of the message to change the format?

Blason · September 17, 2023, 5:22pm

Well the data is generated in s3buckets and we are eventually are thinking to pick it up from there.

Blason · September 17, 2023, 5:23pm

Ok so you suggest instead of stdin try it out with file option?

Badger · September 17, 2023, 5:23pm

Yes, that might help.

Blason · September 27, 2023, 10:44am

Still no luck with any of the option

system · October 25, 2023, 10:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.