LogStash::Json::ParserError: Unexpected character (':' (code 58))

shailendra1 · July 7, 2023, 7:42am

i am facing the unexpected character error code 58 in my json data. even after validation of the data the logstash is reporting the errors . below is the sample data , can anyone help why logstash reporting an error here.



{
	"http": {
		"request": {
			"headers": {
				"accept-api-version": ["resource=2.0"],
				"host": ["blue-csecidp.uat.abc.com:8443"],
				"user-agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"],
				"x-forgerock-transactionid": ["ZIIZ9s_ewIWfgPhkrsqdxgAA234"],
				"x-forwarded-for": ["1.1.1.y"]
			},
			"secure": true,
			"method": "POST",
			"path": "https://blue-csecidp.uat.abc.com:8443/am/json/realms/root/realms/employee/authenticate",
			"queryParameters": {
				"authIndexType": ["service"],
				"authIndexValue": ["Push"]
			}
		}
	},
	"_id": "85f902e4-b971-4364-be35-07a4838bceed-195030431",
	"timestamp": "2023-06-08T18:12:07.186Z",
	"eventName": "AM-ACCESS-OUTCOME",
	"transactionId": "ZIIZ9s_ewIWfgPhkrsqdxgAAAII",
	"trackingIds": ["85f902e4-b971-4364-be35-07a4838bceed-195030421"],
	"client": {
		"ip": "1.1.1.x",
		"port": 23698
	},
	"response": {
		"status": "SUCCESSFUL",
		"statusCode": "200",
		"elapsedTime": 840,
		"elapsedTimeUnits": "MILLISECONDS"
	},
	"realm": "/employee",
	"component": "Authentication"
}

shailendra1 · July 13, 2023, 5:17am

below is my logstash config

 filter {
                json { source => "message" }
                #### ACCESS AUDIT JSON Filtering
                if [application] == [ "CSEC-elk" ] {
                        ruby { code => 'h = event.get("[http][request][headers]")
                if h
                        h.each { |k, v| event.set("[headers][#{k}]", v[0]) }
                end'
                }
                 split { field => "[headers][_id]" }
                 mutate { rename => { "_id" => "[trac_id]" } }
                }

also i am getting warning with this filter in split field that

Only String and Array types are splittable. field:[headers][_id] is of type = NilClass

system · August 10, 2023, 5:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Json file not parsing getting error unexpected character (':'' (code 58)) Logstash	6	387	August 18, 2022
exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null') Logstash	8	3888	August 12, 2020
LogStash::Json::ParserError: Unexpected character ('(' (code 40)) Logstash	10	1517	August 9, 2022
JSON parse error, original data now in message field {:message=>"Unexpected character ('<' (code 60)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')\n at [Source: (String) Logstash	12	5540	February 1, 2023
Unexpected character '<' Logstash	3	1378	March 28, 2019

LogStash::Json::ParserError: Unexpected character (':' (code 58))

Related topics