Greetings.
I have a JSON generated using Tshark -T ek command converting Wireshark PCAP file to JSON to be inserted to Elasticsearch.
The thing is I am having parse error exception on production side.
:exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
The weird thing is, I copied the same JSON file to be tested locally, with the Logstash config file, and it turns out fine without any exception. Any thoughts on what I might be gone wrong?
I have no clue on what is wrong because the JSON is generated using Tshark -T ek command
Anyone here encounter any problems with Tshark generated JSON?
OS: centos 7
Logstash: 6.2.3
Have you used an online validator like jsonlint to check the JSON?
There have been problems with how Tshark generates JSON.
What version of Tshark are you using?
Yes. Checked few times with jsonlint. Apparently, got problems with duplicated keys, but the weird things is that it process without any problems/exception on my side.
Wireshark version: wireshark-qt-2.4.6-1.x86_64
Its worth upgrading wireshark to 2.6.0.
Many thousands of users are ingesting JSON with Logstash 24/7 we rarely find bugs in the JSON parser these days. The LS JSON parser is really a wrapper around the Jackson JSON processor. https://www.google.co.uk/search?q=jackson+json
Jackson is very widely used. For example, Elasticsearch uses it to parse the JSON in the REST API.
I try to talk to my team about it. Thanks for pointing out.