Logstash json filter error

chowdary · September 19, 2018, 11:37am

Hi ,

i am facing below error, while running the logstash .

←[33mError parsing json {:source=>"message", :raw=>"}\r", :exception=>#<LogStash::Json::ParserError: Unexpected close marker '}': expected ']' (for ROOT starting at [Source: [B@6ff05fdd; line: 1, column: 0])
at [Source: [B@6ff05fdd; line: 1, column: 2]>, :level=>:warn}←[0m
{

Thanks in advance

Chow

magnusbaeck · September 20, 2018, 5:22pm

You probably have a multiline JSON file that you're not joining to a single event in a correct way, but without seeing your configuration and some sample input we can only guess.

chowdary · September 20, 2018, 6:09pm

Hi,
Please find configuration .

logstash configuration
input {
file {
path => "C:\Logs\test.log"
start_position => "beginning"
codec => multiline {
pattern => "^{"
negate => true
what => previous

}
}

filter {
json {
source => "message"
}

}
if I am not used any filters getting below output . , in that out put total my log is coming in message field. if i used json filters, multi line field is not working. getting error .

output
{
"@timestamp" => "2018-09-20T10:35:56.993Z",
"message" => "{\r\n"SourceId" : "99fc846d-cdd0-547e-babb-54c514616e9d",\r\n"EventId" : "1",\r\n"Keywords" : "1",\r\n"Level" : "Verbose",\r\n"Message" : "",\r\n"Opcode" : "Info",\r\n"Task" : "65533 WriteVerbose",\r\n"Version" : "0",\r\n"Timestamp" : "2018-09-
18T15:19:40.6927540Z",\r\n"Payload_message" : "Message received by NotificationSvcTwoWayImplementation. Set logging level above verbose to disable this message.",\r\n"Payload_MessageType" : "GetPatientNotifications",\r\n"Payload_MedseekPatientId" : "d209854e-c3c1-4999-aade-20819559c5da"
,\r\n"payload_exception " : "this is the exception while connecting the server\r\nserver abc ip of em server\r\nabcd\r\nefgh\r\nexception not resolved"\r\n"Payload_OriginatingMessageId" : "234d3d88-2a9f-4fcb-b983-8dc08dd36bbc",\r\n"EOE" : ""\r\n}\r",
"@version" => "1",
"tags" => [
[0] "multiline",
[1] "_jsonparsefailure"
],
"path" => "C:\Medseek\Logs\testfilter.log",
}

output for above logstash conf
{
"@timestamp" => "2018-09-20T10:50:25.723Z",
"@version" => "1",
"path" => "C:\Medseek\Logs\testfilter.log",
"host" => "AZ-AQA-COM-01",
"SourceId" => "444444-cdd0-547e-babb-1212121",
"EventId" => "1",
"Keywords" => "1",
"Level" => "Verbose",
"Message" => "",
"Opcode" => "Info",
"Task" => "65533 WriteVerbose",
"Version" => "0454",
"Timestamp" => "2018-09-18T15:19:40.6927540Z",
"Payload_message" => "Message received this message.",
"Payload_MessageType" => "getting",
"Payload_MedseekPatientId" => "444-454545-4999-aade-45454",
"Payload_OriginatingMessageId" => "454-2a9f-454545454-b983-454545454",
"EOE" => ""
}

expecting output:
{
"@timestamp" => "2018-09-20T10:50:25.723Z",
"@version" => "1",
"path" => "C:\Medseek\Logs\testfilter.log",
"host" => "AZ-AQA-COM-01",
"SourceId" => "444444-cdd0-547e-babb-1212121",
"EventId" => "1",
"Keywords" => "1",
"Level" => "Verbose",
"Message" => "",
"Opcode" => "Info",
"Task" => "65533 WriteVerbose",
"Version" => "0454",
"Timestamp" => "2018-09-18T15:19:40.6927540Z",
"Payload_message" => "Message received this message.",
"Payload_MessageType" => "getting",
"Payload_MedseekPatientId" => "444-454545-4999-aade-45454",
"Payload_Exception" : "at System.Xml..6666666.exception exception exception exception exception
at office.Xml.454544544.exception exception exception exception exception
at ntegration.555555.exception exception exception exception exception
"Payload_OriginatingMessageId" => "454-2a9f-454545454-b983-454545454",
"EOE" => ""
}

multi line field (exception field ) also should come one filed . i tried but no luck.

magnusbaeck · September 20, 2018, 8:19pm

This question is a duplicate of another thread.

system · October 18, 2018, 8:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.