Json processor Parsing Issue Workaround

Elastic Stack Elastic Agent
1

Hello I'm trying to parse a field using the Json processor. the input is similar to the following:

{"json": {
\"field1\":\"...\",
\"field2\":\"...\",
... ,
\"Message\":\"<message here>\",
... ,
\"fieldn\":\"...\"
}

The issue is that in the message field, every now and then, the following example will break the entire processor:

... Command Line:\"c:/ProgramData...

I'm sure its because of the <"> that signals the end of the field.

Is there a work around within the current json processor, or am I better off using a Gsub to a different delimiter and then using the KV processor?

2

Hi,

One way to handle this is to use the gsub processor before the json processor in your ingest pipeline. The gsub processor can replace the escaped quotes (\" ) within the "Message" field with a different character or sequence of characters that won't interfere with JSON parsing.

Gsub processor | Elasticsearch Guide [8.11] | Elastic

Regards

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.