Parsed Multi Object in Json

Hi there,

so i have a log look like this:

2022-10-27 08:39:02 [https-jsse-nio-9078-exec-7] INFO i.c.p.va.security.LoggerFilter - Response Body : {"responseCode":"00","responseDesc":"Approved","data":"{"vaNumber":"11122233344","accountName":"NAME","balance":"205569"}"}

i already apply grok filter like this

match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} [%{NOTSPACE:program}] %{LOGLEVEL:logLevel}%{SPACE}%{NOTSPACE:serviceName} - Response Body : %{GREEDYDATA:responseBody}" }

and then i applied json plugin like this:

json{
source => "responseBody"
target => "responseBody"
skip_on_invalid_json => true
}

and the result is the "data" object from Response Body didn't parsed. i just got responseBody.responseCode & Desc. if i try to change the json filter to become like this:

json{
source => "[responseBody][data]"
target => "responseBodydata"
skip_on_invalid_json => true
}

it just produces the opposite of the previous result. can anyone help me? Thank you

You JSON is not valid, and you have set the skip_on_invalid_json option on the json filter, so it is skipping it.

{"responseCode":"00","responseDesc":"Approved","data":"{"vaNumber":"11122233344","accountName":"NAME","balance":"205569"}"}

If [data] is meant to be an encoded string it should be

{"responseCode":"00","responseDesc":"Approved","data":"{\"vaNumber\":\"11122233344\",\"accountName\":\"NAME\",\"balance\":\"205569\"}"}

and if [data] is meant to be a hash then

{"responseCode":"00","responseDesc":"Approved","data":{"vaNumber":"11122233344","accountName":"NAME","balance":"205569"}}

Ok, if my json is valid. How to do that?

This is my log look like actually. i don't know why the \ character is dissapear in my post before. then, if my log look like this. was there any way to parse it? Thank you

Well, for me

    json{ source => "responseBody" target => "responseBody" skip_on_invalid_json => true }
    json{ source => "[responseBody][data]" target => "[responseBody][data]" skip_on_invalid_json => true }

produces

"responseBody" => {
    "responseDesc" => "Approved",
            "data" => {
           "vaNumber" => "11122233344",
            "balance" => "205569",
        "accountName" => "NAME"
    },
    "responseCode" => "00"
},

I think I've used that. it's just, I don't put it close like that. there is other source between them. does it have any effect?

Pada tanggal Sab, 29 Okt 2022 06.17, Badger via Discuss the Elastic Stack <notifications@elastic.discoursemail.com> menulis:

Not unless they modify [responseBody].

i followed this, and i got this error:

"error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [responseBody.data] of type [text] in document with id '6WQFLIQBueWIjhGITXWO'

> "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:59"}}}}}

I don't know why [responseBody][data] read as text. maybe it because the previous filter?

See this thread.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.