Logstash JSON parser error

Hi,

We are getting json parser warning message as below:

  1. [2023-01-08T13:21:12,936][WARN ][logstash.filters.json ] Error parsing json {:source=>"slmPart", :raw=>"{"action":UPDATE,"information":"Signing CSR for root Machine1"}", :exception=>#<LogStash::Json::ParserError: Unrecognized token 'UPDATE': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false') at [Source: byte)"{"action":UPDATE,"information":"Signing CSR for root Machine1"}"; line: 1, column: 18]>}
    [2023-01-08T13:21:12,937][WARN ][logstash.filters.json ] Error parsing json {:source=>"slmPart", :raw=>"{"action":UPDATE,"information":"Instance configuration file has been updated"}", :exception=>#<LogStash::Json::ParserError: Unrecognized token 'UPDATE': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false') at [Source: (byte)"{"action":UPDATE,"information":"Instance configuration file has been updated"}"; line: 1, column: 18]>}

Eventhough logstash config test and exit command returns OK. But, the logtstash writing the above log entries in the log.

Please share your expertise.

Regards,
Ramesh P

I don't think this is a valid JSON, the UPDATE should be between double quotes.

The json filter won't be able to parse this message, do you have control on the source that generates this messages to add the double quotes?

Hi Ramesh,

I think follow what leandrojmp has mentioned about the json, and the source message. You could test that json here to see if its valid if you have control to access it: https://jsonlint.com/

Kind Regards,
Chris

logstash config test is only test your .conf file for instance: json.conf, not data.

As leandrojmp said, your data is not OK, LS will raise the tag: _jsonparsefailure. Or you have several records OK, then a wrong record. Incorrect data you can handle in output

output {
 if ("_jsonparsefailure" in [tags]) { 
     elasticsearch {
     hosts => ["http://eshost:9200"]
     index => "error_%{+YYYY.MM}"
     user => "user"
     password => "pass"
  }
 }

Thanks All for your reply.

I'm getting this warning only at the LS start-up, post-start, it is not getting displayed. But the source data keeps on passing through the LS. Not sure, Why the same is not coming for all the source data.

The same issue is not occurring in the LS version 7.10.2 for the same source data. Whereas the LS version 8.4.0 only throws this warning.

Please share your expertise.

Regards,
Ramesh P