Parsing JSON in Logstash - Getting _jsonparsefailure error

Elastic Stack Logstash
1

Hi

I am trying to parse a JSON file as below:

{
    "glossary": {
        "title": "example glossary",
		"GlossDiv": {
            "title": "S",
			"GlossList": {
                "GlossEntry": {
                    "ID": "SGML",
					"SortAs": "SGML",
					"GlossTerm": "Standard Generalized Markup Language",
					"Acronym": "SGML",
					"Abbrev": "ISO 8879:1986",
					"GlossDef": {
                        "para": "A meta-markup language, used to create markup languages such as DocBook.",
						"GlossSeeAlso": ["GML", "XML"]
                    },
					"GlossSee": "markup"
                }
            }
        }
    }
}

Below is the logstash configuration for this:

> input {
> 	file {
>         start_position => beginning
> 		path => ["D:/ELK Demo Logs/POC/JSON/*.JSON"]
> 		codec => "json"
>         add_field => [ "log_type","JSON" ]
> 	}
> }
> 
> 
> # The filter part of this file is commented out to indicate that it is
> # optional.
>  filter { 
> 	if [log_type] == "JSON" {
> 		json {
> 				source => "message"
> 				target => "parsedJSON"
> 			}
> 					
> 		mutate { 
> 		add_field => ["Log_Source", "JSON"]
> 		
> 		}
> 	}
> }
> 
> output {
>    elasticsearch {
>     hosts => "localhost:9200"
> 	manage_template => false
> 	index => "filebeat-%{+YYYY.MM.dd}" 
>   }
>  stdout { codec => rubydebug }
> }

But when I run logstash and try to parse JSON file, I get _jsonparsefailure error.

Please find below the error snapshot.

JSON%20Error
JSON%20Error846×100 29.1 KB

Can anyone please help in getting this issue resolved. Struggling since last one week for this issue.

Thanks

2

HI,

Your input add field is wrong.

Also you should not post images, those can be very hard to read depending on your device.

Paul.

3

A file input reads a file one line at a time unless you use a multiline filter. In this case you appear to want to read the entire file as one event. To do that you can use a multiline filter with a pattern that never matches

input {
    file {
       path => "/some/path/foo.json"
       sincedb_path => "/dev/null" 
       start_position => "beginning" 
       mode => "tail"
       codec => multiline {
           pattern => "^Spalanzani"
           negate => true 
           what => "previous" 
           auto_flush_interval => 1
       }
    }
}
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.