I have a JSON message that is not escaping well due to a double quote after
"<?xml
as below:
[2017-08-21T23:59:59,133][WARN ][logstash.codecs.jsonlines] JSON parse error, original data now in message field {:error=>#<LogStash::Json::ParserError: Unexpected character ('<' (code 60)): was expecting comma to separate OBJECT entries
at [Source: { "type":"syslog","host":"host1","role":"ingest_log","message":" [HFB] 2017-08-22 00:00:04,260 INFO [MuleScheduler1_Worker-10] outgoing.Manager (::): Converting Xml into object for xml: "<?xml version="1.0" ...""}; line: 1, column: 209]>, :data=>"{ \"type\":\"syslog\",\"host\":\"host1\",\"role\":\"ingest_log\",\"message\":\" [HFB] 2017-08-22 00:00:04,260 INFO [MuleScheduler1_Worker-10] outgoing.Manager (::): Converting Xml into object for xml: \"<?xml version=\"1.0\" ...\"\"}"}
I tried the follow filter below.
filter{
if [role] == "ingest_log" {
mutate {
gsub => ["message",'"','\"']}
grok {
match => ["message", " INFO %{TIMESTAMP_ISO8601:timestamp_match} %{GREEDYDATA:message}"]
match => ["message", ' INFO %{TIMESTAMP_ISO8601:timestamp_match} %{GREEDYDATA:message}']
overwrite => ["message"] }
date {
match => [ "timestamp_match", "yyyy-MM-dd HH:mm:ss,SSS"]
target=> "@timestamp"
remove_field => ["timestamp_match"]}}
}
The mutate doesn't look to do anything, am I doing this incorrectly?