Pasring Json file

neo · February 18, 2019, 12:26pm

Hi All,
I'm trying to parse json file but I'm getting error and incorrect result

the log file look like this:

{
"Records": [{
"EventVersion": "1.0",
"EventSubscriptionArn": "XXX",
"EventSource": "XXX",
"Sns": {
"SignatureVersion": "1",
"Timestamp": "2019-02-11T11:24:00.000",
"Signature": "XXX",
"SigningCertUrl": "XXX",
"MessageId": "XXX",
"Message": "{"notificationType":"Delivery","mail":{"timestamp":"2019-02-10T11:24:52.986Z","source":"XXX.com","sourceArn":"XXX.com","sourceIp":"212.00.00.100","sendingAccountId":"081469076013","messageId":"4654654-000000","destination":["XXX.com"]},"delivery":{"timestamp":"2019-02-11T11:24:54.199Z","processingTimeMillis":1213,"recipients":["XXX.com"],"smtpResponse":"100 2.6.0 01000168dc4d7f7a-3ae05619-0b9e-4deb-82d2-5555018-000000@email.amazonses.com [InternalId=001, Hostname=Aoutlook.com] 10536 bytes in 0.187, 54.735 KB/sec Queued mail for delivery","remoteMtaIp":"100.00.0.55","reporti":"amazonses.com"}}",
"MessageAttributes": {},
"Type": "Notification",
"UnsubscribeUrl": "XXX",
"TopicArn": "XXX",
"Subject": null
}
}]
}

the conf file look like this:

filter {
if "emails_logs" in [tags] {
json {
source => "message"
target => "message"
}
json {
source => "[message][Records]"
target => "[message][Records]"
}

split { field => "[message][Records][Sns]" }
split { field => "[message][Records][Sns][Message]" }

}
}

Can you help me to parse it?

pjanzen · February 18, 2019, 12:38pm

The json posted is invalid. On the line where it is says message there are extra " caracters.

This is the correct json

{
	"Records": [{
		"EventVersion": "1.0",
		"EventSubscriptionArn": "XXX",
		"EventSource": "XXX",
		"Sns": {
			"SignatureVersion": "1",
			"Timestamp": "2019-02-11T11:24:00.000",
			"Signature": "XXX",
			"SigningCertUrl": "XXX",
			"MessageId": "XXX",
			"Message": {
				"notificationType": "Delivery",
				"mail": {
					"timestamp": "2019-02-10T11:24:52.986Z",
					"source": "XXX.com",
					"sourceArn": "XXX.com",
					"sourceIp": "212.00.00.100",
					"sendingAccountId": "081469076013",
					"messageId": "4654654-000000",
					"destination": ["XXX.com"]
				},
				"delivery": {
					"timestamp": "2019-02-11T11:24:54.199Z",
					"processingTimeMillis": 1213,
					"recipients": ["XXX.com"],
					"smtpResponse": "100 2.6.0 01000168dc4d7f7a-3ae05619-0b9e-4deb-82d2-5555018-000000@email.amazonses.com [InternalId=001, Hostname=Aoutlook.com] 10536 bytes in 0.187, 54.735 KB/sec Queued mail for delivery",
					"remoteMtaIp": "100.00.0.55",
					"reporti": "amazonses.com"
				}
			},
			"MessageAttributes": {},
			"Type": "Notification",
			"UnsubscribeUrl": "XXX",
			"TopicArn": "XXX",
			"Subject": null
		}
	}]
}

neo · February 18, 2019, 12:55pm

Tnx,
Do you have idea how to parse it?

pjanzen · February 18, 2019, 1:23pm

Ok, not sure if this is what you need but this is what I got.

Config:

input {
  file {
    path => '/home/pjanzen/json.txt'
    sincedb_path => '/dev/null'
    start_position => 'beginning'
  }
}

filter {
  json {
    source => "message"
  }
}

output {
  stdout {
    codec => "rubydebug"
  }
}

Output:

{
          "path" => "/home/pjanzen/json.txt",
       "message" => "{\"Records\": [{\"EventVersion\": \"1.0\",\"EventSubscriptionArn\": \"XXX\",\"EventSource\": \"XXX\",\"Sns\": {\"SignatureVersion\": \"1\",\"Timestamp\": \"2019-02-11T11:24:00.000\",\"Signature\": \"XXX\",\"SigningCertUrl\": \"XXX\",\"MessageId\": \"XXX\",\"Message\": {\"notificationType\": \"Delivery\",\"mail\": {\"timestamp\": \"2019-02-10T11:24:52.986Z\",\"source\": \"XXX.com\",\"sourceArn\": \"XXX.com\",\"sourceIp\": \"212.00.00.100\",\"sendingAccountId\": \"081469076013\",\"messageId\": \"4654654-000000\",\"destination\": [\"XXX.com\"]},\"delivery\": {\"timestamp\": \"2019-02-11T11:24:54.199Z\",\"processingTimeMillis\": 1213,\"recipients\": [\"XXX.com\"],\"smtpResponse\": \"100 2.6.0 01000168dc4d7f7a-3ae05619-0b9e-4deb-82d2-5555018-000000@email.amazonses.com [InternalId=001, Hostname=Aoutlook.com] 10536 bytes in 0.187, 54.735 KB/sec Queued mail for delivery\",\"remoteMtaIp\": \"100.00.0.55\",\"reporti\": \"amazonses.com\"}},\"MessageAttributes\": {},\"Type\": \"Notification\",\"UnsubscribeUrl\": \"XXX\",\"TopicArn\": \"XXX\",\"Subject\": null}}]}",
    "@timestamp" => 2019-02-18T13:21:06.977Z,
      "@version" => "1",
       "Records" => [
        [0] {
                    "EventVersion" => "1.0",
            "EventSubscriptionArn" => "XXX",
                             "Sns" => {
                          "Message" => {
                                "mail" => {
                               "timestamp" => "2019-02-10T11:24:52.986Z",
                        "sendingAccountId" => "081469076013",
                               "messageId" => "4654654-000000",
                             "destination" => [
                            [0] "XXX.com"
                        ],
                                "sourceIp" => "212.00.00.100",
                                  "source" => "XXX.com",
                               "sourceArn" => "XXX.com"
                    },
                            "delivery" => {
                        "processingTimeMillis" => 1213,
                                   "timestamp" => "2019-02-11T11:24:54.199Z",
                                "smtpResponse" => "100 2.6.0 01000168dc4d7f7a-3ae05619-0b9e-4deb-82d2-5555018-000000@email.amazonses.com [InternalId=001, Hostname=Aoutlook.com] 10536 bytes in 0.187, 54.735 KB/sec Queued mail for delivery",
                                     "reporti" => "amazonses.com",
                                 "remoteMtaIp" => "100.00.0.55",
                                  "recipients" => [
                            [0] "XXX.com"
                        ]
                    },
                    "notificationType" => "Delivery"
                },
                        "Signature" => "XXX",
                        "Timestamp" => "2019-02-11T11:24:00.000",
                        "MessageId" => "XXX",
                   "UnsubscribeUrl" => "XXX",
                   "SigningCertUrl" => "XXX",
                         "TopicArn" => "XXX",
                          "Subject" => nil,
                 "SignatureVersion" => "1",
                "MessageAttributes" => {},
                             "Type" => "Notification"
            },
                     "EventSource" => "XXX"
        }
    ],
          "host" => "tb-clog-ls1"
}

system · March 18, 2019, 1:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
What is wrong with my JSON file? Why this is not being parsed? Logstash	13	615	February 2, 2019
Parse json data with logstash Logstash	8	7740	March 23, 2022
Unable to parse JSON Array object in Logstash Logstash	2	3979	July 11, 2017
JSON Parse Failure using logstash Logstash	5	3280	May 27, 2020
Parse Json Logs using logstash Logstash	2	275	March 25, 2021

Pasring Json file

Related topics