Parse nested JSON data into logstash

Magesh_02 · September 1, 2021, 12:31pm

New to ELK stack, trying to import my JSON data into elastic serach, but its fails, since my json input is nested types. I have tried many solution but still i could not able to get.

here is my input

{
  "Folders": [
    {
      "Name": "Folder1",
      "Total Files": [
        {
          "Added": 44488,
          "Deleted": 4444,
          "Total files by extension": [
            {
              "Name": ".txt,exe",
              "Added": 44488,
              "Deleted": 4444

            },
            {
              "Name": ".doc",
              "Added": 44488,
              "Deleted": 4444
            }
          ]
        }
      ]
    },
    {
      "Name": "Folder2",
      "Total Files": [
        {
          "Added": 44488,
          "Deleted": 4444,

          "Total files by extension": [
            {
              "Name": ".txt,.exe",
              "Added": 44488,
              "Deleted": 4444

            },
            {
              "Name": ".doc",
              "Added": 44488,
              "Deleted": 4444

            }
          ]
        }
      ]
    }
  ]
}

Config file

input { 


 file {
   path => "D:/sample.json"
   start_position => "beginning"
    type => "json"
    codec => "json"
    sincedb_path => "/dev/null"
 }
}

filter {
if [message] drop {}
 
}



output {
   
  stdout {
    codec => rubydebug
  }
 
  # Sending properly parsed log events to elasticsearch
  elasticsearch {
    hosts => ["localhost:9200"]
    index => "results"
  }
}

Any help on this?

Badger · September 1, 2021, 1:58pm

See here.

Magesh_02 · September 2, 2021, 5:53am

Hi @Badger

I'm still having the same problem, and both solutions result in a json parsing error. The same applies to flattened json data.

Error:

[2021-09-02T11:20:28,725][WARN ][logstash.filters.json    ][main][a39479da327a8f2b0a3503f33c5a383682f4ba6777108aceccd46983b1e8556f] Error parsing json {:source=>"message", :raw=>"  \"Added\": 44488,\r", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')

I even tried the same input given in this post

Also pipeline was not started

Badger · September 2, 2021, 1:05pm

That shows that you are trying to parse a single line of a pretty-printed JSON object. You need to combine the entire object into a single [message] field before trying to parse it. The post I linked to explains how to do that.

system · September 30, 2021, 1:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Nested Json logs - how to filter correctly Logstash	12	4627	July 6, 2017
Parse nested json - Logstash v16.2 on Windows 10 Logstash	2	194	April 29, 2022
Help parsing nested JSON from VirusTotal Logstash	12	1607	October 22, 2017
Nested Json parse failure in logstash? Logstash	9	1404	September 12, 2019
Json parse exception on \r in logstash 5.2. for nested json on windows Logstash	5	985	April 12, 2017

Parse nested JSON data into logstash

Related topics