Json processor Parsing Issue Workaround

vishnu.a · January 16, 2024, 8:18pm

Hello I'm trying to parse a field using the Json processor. the input is similar to the following:

{"json": {
\"field1\":\"...\",
\"field2\":\"...\",
... ,
\"Message\":\"<message here>\",
... ,
\"fieldn\":\"...\"
}

The issue is that in the message field, every now and then, the following example will break the entire processor:

... Command Line:\"c:/ProgramData...

I'm sure its because of the <"> that signals the end of the field.

Is there a work around within the current json processor, or am I better off using a Gsub to a different delimiter and then using the KV processor?

yago82 · January 17, 2024, 10:53am

vishnu.a:

Hello I'm trying to parse a field using the Json processor. the input is similar to the following:
{"json": {
\"field1\":\"...\",
\"field2\":\"...\",
... ,
\"Message\":\"<message here>\",
... ,
\"fieldn\":\"...\"
}
The issue is that in the message field, every now and then, the following example will break the entire processor:
... Command Line:\"c:/ProgramData...
I'm sure its because of the <"> that signals the end of the field.

Is there a work around within the current json processor, or am I better off using a Gsub to a different delimiter and then using the KV processor?

Hi,

One way to handle this is to use the gsub processor before the json processor in your ingest pipeline. The gsub processor can replace the escaped quotes (\" ) within the "Message" field with a different character or sequence of characters that won't interfere with JSON parsing.

Gsub processor | Elasticsearch Guide [8.11] | Elastic

Regards

system · February 14, 2024, 10:54am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.