JSON parse error

rusty_cole · January 5, 2022, 9:27am

Hi,
I have the following error only for some of my json files, other files have no issue.
I am guessing the root cause is the brackets in the json fields.
I have seen some posts in the matter but no solution worked for me.
Any help would be appreciated.

The error - JSON parse error, original data now in message field {:error=>#<LogStash::Json::ParserError: Invalid FieldReference:

Json file example -

[{"name": "system\\currentcontrolset\\services", "hive": "HKEY_LOCAL_MACHINE", "exists": "True", "values": {}}, {"name": "system\\currentcontrolset\\services\\.NET CLR Data", "hive": "HKEY_LOCAL_MACHINE", "exists": "True", "values": {}}, {"name": "system\\currentcontrolset\\services\\.NET CLR Data\\Linkage", "hive": "HKEY_LOCAL_MACHINE", "exists": "True", "values": {"Export": "['.NET CLR Data']"}}, {"name": "system\\currentcontrolset\\services\\.NET CLR Data\\Performance", "hive": "HKEY_LOCAL_MACHINE", "exists": "True", "values": {"Close": "ClosePerformanceData", "Collect": "CollectPerformanceData", "

My conf:

		            file
        {
            path => "C:/Evidence/Registry/**/*.json"
            start_position => "beginning"        
            sincedb_path => "nul"
			codec => "json"
			file_chunk_size => "90000000"
			delimiter => "§¶¶§"
			mode => "read"	
            type => "json"

        }
}
filter {

   if [type] == "json" {
    json {
    source => "[message]"
    remove_field => ["[message]"]
  }
}
}

rusty_cole · January 5, 2022, 12:11pm

The field that is causing the problems is - "m[~4~~": "1",
If i remove it manually it works.
Can i remove it with mutate gsub while using a json codec?

Badger · January 5, 2022, 5:00pm

No, that is not possible. The codec decodes the JSON before the event is sent to the pipeline. You would have to remove the json filter, add a mutate+gsub filter and then a json filter after the mutate.

rusty_cole · January 6, 2022, 8:00am

Unfortunately, for some reason the json filter does not work on my json files(it ignores them). only the json codec works.
Thanks for your help anyway.

system · February 3, 2022, 8:01am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash JSON parse error Logstash	4	2766	June 8, 2021
JSON filter Invalid FieldReference for [ ] Logstash	2	778	November 25, 2021
How to deal with brackets json input filter Logstash	9	1044	June 10, 2021
Need help removing square brackets from field name in JSON input Logstash	4	2373	June 21, 2019
LogStash::Json::ParserError Logstash	10	903	November 17, 2020

JSON parse error

Related Topics