Nested json imposible to parse

Elastic Stack Logstash
1

Hi,

I have a nested json in a field like this:
{
....
"host" => "repo1.server.io",
"source" => "/mnt/centralizedlogs/logstash/netsec/48851f14d3e9/2017-06-08.txt",
"message" => "{"@timestamp"=>"2017-06-08T07:06:13.427Z", "@version"=>"1", "beat"=>{"hostname"=>"48851f14d3e9", "name"=>"48851f14d3e9", "version"=>"5.4.1"}, "group"=>"netsec", "host"=>"48851f14d3e9", "identifier"=>"asalog", "input_type"=>"log", "message"=>"Jun 8 02:06:12 172.16.124.1 %ASA-4-106023: Deny tcp src OUTSIDE:104.168.182.194/59523 dst ProdWeb:10.246.165.119/3555 by access-group \"101\" [0x0, 0x0]", "offset"=>44112925, "source"=>"/var/log/asa/asa.log", "tags"=><Java::JavaUtil::ArrayList:-1276964729 ["beats_input_codec_plain_applied"]>, "type"=>"log"}",
....
}
I tried to do:

json
{
source => "message"
target => "parsed"
}
also tried to add_field with:

"%{[message][identifier]}"
"%{[message][0][identifier]}"
[message][identifier]

not working :frowning:

Also in the input i tried:

codec => "json"

Always I get a : [0] "_jsonparsefailure",

any ideas? what I'm doing wrong?

Thank you very much!

2

I get: <LogStash::Json::ParserError: Unexpected character ('=' (code 61)): was expecting a colon to separate field name and value

I guess I have to replace "=" for ":"...

thanks

3

What you've shown us isn't JSON. It looks like something produced by Logstash's rubydebug codec. If so, why are you trying to parse it?

4

Hi

this is what i receive from filebeat which i'm not the owner...

5

Even though that is not valid JSON, it is quite close, so you may be able to convert it to valid JSON using a mutate filter. Something like this may work:

mutate {
    gsub => [
      "message", '=>', ':',
      "message", ':,', ':[],'
    ]
}
6

Well, Filebeat doesn't produce data that looks like that. Where does Filebeat get its data from?

7

Hi

maybe the problem comes from the origin, I don't know.., But I will use the Christian solution, to get a valid JSON

Thanks

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.