Logstash 6.2 json parse failure

Arnav_Sengupta · June 17, 2019, 5:58am

Hi,

I am trying to parse the below filebeat log

{  "event": {
"host": {
  "name": "lpcservices-dev-int-alln-75f4d6df98-t9wj2"
},
"beat": {
  "version": "6.4.2",
  "name": "lpcservices-dev-int-alln-75f4d6df98-t9wj2",
  "hostname": "lpcservices-dev-int-alln-75f4d6df98-t9wj2"
},
"source": "/home/jboss/lae-home/app-root/logs/lpcatalogservicesAppIO.log",
"input": {
  "type": "log"
},
"tags": [
  "applicationLogs",
  "beats_input_codec_plain_applied"
],
"message": "2019-06-14 02:25:48 [IOLogger] INFO  {env=STAGE-YS2, serviceType=catalog_ITEM_PUBLISHABLE, transactionId=CAE-TEST-15} - {\"noOfLines\":0,\"request\":\"{\\\"requestHeader\\\":{\\\"transactionID\\\":\\\"CAE-TEST-15\\\",\\\"ccoID\\\":\\\"NETFORMX-XML\\\"},\\\"entries\\\":[{\\\"priceList\\\":\\\"WCH2\\\",\\\"items\\\":[\\\"L-CDACDN-UP3X\\\\u003d\\\",\\\"CAB-AC\\\\u003d\\\"]}]}\",\"timeTaken\":39}",
"@version": "1",
"@timestamp": "2019-06-14T09:25:48.647Z",
"offset": 1354,
"prospector": {
  "type": "log"
 }
}
}

I want to parse the json "host". I want to extract "name" from it into a field called "host" of my own. To break it down into step by step, I first just tried to parse the json by using the following filter

json { source => "host" }

However, when I do this, I get a '_jsonparsefailure' tag in my output in logstash logs

output received {"event"=>{"type"=>"io", "offset"=>2716, "logLevel"=>"INFO ", "input"=>{"type"=>"log"}, "host"=>{"name"=>"lpcservices-dev-int-alln-75f4d6df98-t9wj2"}, "@timestamp"=>2019-06-17T05:45:48.000Z, "serviceType"=>"catalog_ITEM_PUBLISHABLE", "env"=>"STAGE-YS2", "noOfLines"=>0, "timeTaken"=>38, "request"=>"{\"requestHeader\":{\"transactionID\":\"CAE-TEST-15\",\"ccoID\":\"NETFORMX-XML\"},\"entries\":[{\"priceList\":\"WCH2\",\"items\":[\"L-CDACDN-UP3X\\u003d\",\"CAB-AC\\u003d\"]}]}", "timestamp"=>"2019-06-16 22:45:48", "source"=>"/home/jboss/lae-home/app-root/logs/lpcatalogservicesAppIO.log", "tags"=>["applicationLogs", "beats_input_codec_plain_applied", "_jsonparsefailure"], "@version"=>"1", "threadName"=>"IOLogger", "transactionId"=>"CAE-TEST-15", "prospector"=>{"type"=>"log"}}}

Any idea why it's throwing this error?

Badger · June 17, 2019, 1:22pm

Can't you just reference [host][name]?

Arnav_Sengupta · June 17, 2019, 1:50pm

Okay, that worked. I think I know why my json filter didn't work. The debug log shows the input data as follows

"host"=>{"name"=>"lpcservices-dev-int-alln-75f4d6df98-t9wj2"}

This isn't really a json.

One question, does this mean nested fields from beats can be accessed as associative arrays?

Badger · June 17, 2019, 2:15pm

If a field is an object then you can reference fields inside that object, yes. Like [host][name] or [beat][hostname].

system · July 15, 2019, 2:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Having problem with parsing Json data using Filebeat and Logstash Beats filebeat	11	3806	October 23, 2017
Could not index event to Elasticsearch, failed to parse [timestamp] Logstash	3	1633	February 27, 2020
Advice on parsing a JSON log Logstash	5	445	November 7, 2019
Problem parsing Json from Beats Logstash	2	2164	August 28, 2017
Logstash JSON Parse error.... With valid JSON data Logstash	5	3991	July 6, 2017

Logstash 6.2 json parse failure

Related topics