JSON parse error

Elastic Stack Logstash
1

Hi,
I have the following error only for some of my json files, other files have no issue.
I am guessing the root cause is the brackets in the json fields.
I have seen some posts in the matter but no solution worked for me.
Any help would be appreciated.

The error - JSON parse error, original data now in message field {:error=>#<LogStash::Json::ParserError: Invalid FieldReference:

Json file example -

[{"name": "system\\currentcontrolset\\services", "hive": "HKEY_LOCAL_MACHINE", "exists": "True", "values": {}}, {"name": "system\\currentcontrolset\\services\\.NET CLR Data", "hive": "HKEY_LOCAL_MACHINE", "exists": "True", "values": {}}, {"name": "system\\currentcontrolset\\services\\.NET CLR Data\\Linkage", "hive": "HKEY_LOCAL_MACHINE", "exists": "True", "values": {"Export": "['.NET CLR Data']"}}, {"name": "system\\currentcontrolset\\services\\.NET CLR Data\\Performance", "hive": "HKEY_LOCAL_MACHINE", "exists": "True", "values": {"Close": "ClosePerformanceData", "Collect": "CollectPerformanceData", "

My conf:

		            file
        {
            path => "C:/Evidence/Registry/**/*.json"
            start_position => "beginning"        
            sincedb_path => "nul"
			codec => "json"
			file_chunk_size => "90000000"
			delimiter => "§¶¶§"
			mode => "read"	
            type => "json"

        }
}
filter {

   if [type] == "json" {
    json {
    source => "[message]"
    remove_field => ["[message]"]
  }
}
}
2

The field that is causing the problems is - "m[~4~~": "1",
If i remove it manually it works.
Can i remove it with mutate gsub while using a json codec?

3

No, that is not possible. The codec decodes the JSON before the event is sent to the pipeline. You would have to remove the json filter, add a mutate+gsub filter and then a json filter after the mutate.

4

Unfortunately, for some reason the json filter does not work on my json files(it ignores them). only the json codec works.
Thanks for your help anyway.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.