Logstash filter json warning

Aniket_Pant · July 22, 2021, 8:00am

Using ELK 7.13.2
The logstash is consuming logs from kafka in json format earlier it was parsing the data but now it is not working

[2021-07-22T12:18:44,401][WARN ][logstash.filters.json    ][ise][d51b308934c5e59604230fc981ad93b4109f63ea34e95a917c831d9b539476ad] Error parsing json {:source=>"message", :raw=>["{\"time\":\"2021-07-21T18:01:08+05:30\",\"tags\":\"ise\",\"proxied_srcip\":\"xx.xx.xx.xx\",\"message\":\"xxxxxx,xxxxxxx,xxxxxx,.....,\",\"host\":\"xxx\"}","NOTICE Passed-Authentication: Authentication succeeded"], :exception=>java.lang.ClassCastException}

it is not parsing any data

AquaX · July 22, 2021, 1:26pm

Are you trying to convert a data type to another data type?

leandrojmp · July 22, 2021, 1:35pm

What is the output you are getting in the message field?

From the error log I think that it is an array

:source=>"message", :raw=>["{\"time\":\"2021-07-21T18:01:08+05:30\",\"tags\":\"ise\",\"proxied_srcip\":\"xx.xx.xx.xx\",\"message\":\"xxxxxx,xxxxxxx,xxxxxx,.....,\",\"host\":\"xxx\"}","NOTICE Passed-Authentication: Authentication succeeded"]

It looks like that the raw part with the content of the field message has two itens.

Can you share your message field?

Aniket_Pant · July 23, 2021, 9:06am

no i am not converting anything.

Aniket_Pant · July 23, 2021, 9:14am

In kafka the message is stored as in json format

{"time":"2021-07-23T12:28:19+05:30","tags":"ise","proxied_srcip":"xx.xx.xx.xx","message":"xxxx","host":"xxxxxx"}

logstash logs

[2021-07-23T14:39:22,724][WARN ][logstash.filters.json    ][ise][d6b83eeca151b16126379e73295e113853498156da958a0e9df1e6c386d3e473] Error parsing json {:source=>"message", :raw=>["{\"time\":\"2021-07-23T14:32:02+05:30\",\"tags\":\"ise\",\"proxied_srcip\":\"xx.xx.xx.xx\",\"message\":\"xxxx\",\"host\":\"xxx\"}", "NOTICE Passed-Authentication: Authentication succeeded"], :exception=>java.lang.ClassCastException: class org.jruby.RubyArray cannot be cast to class org.jruby.RubyIO (org.jruby.RubyArray and org.jruby.RubyIO are in unnamed module of loader 'app')}

I don't know why i am getting this i resolve this by restarting the logstash but after some hours it shows the warning like

[WARN ][logstash.filters.json    ] and [WARN ][logstash.filters.grook    ]

leandrojmp · July 23, 2021, 12:14pm

Can you share your pipeline?

Also, how are you sending the data to kafka?

Aniket_Pant · July 25, 2021, 3:16pm

Hey @leandrojmp the warning is not coming the new issue is filter grok i have to open this issue

system · August 22, 2021, 3:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Reading Data From Kafka and use filter json fails with ParserError Logstash	19	4320	July 5, 2018
Exctracting JSON format of data from the Input logs containing both JSON and Plain Text Logstash	4	500	September 7, 2018
Failed action with response of 400, dropping action (Logstash to Kafka to Logstash to E and Mongo) (SOLVED) Elasticsearch	6	3138	July 5, 2017
Error parsing json with Logstash Logstash	15	8914	October 10, 2019
Kafka input json Logstash	2	3909	July 6, 2017

Logstash filter json warning

Related Topics