Hello. I have problem with json logs. Some of logs isn't pushed to Elastic+Kibana properly. I get this error:
"[2019-11-21T08:51:24,441][ERROR][logstash.codecs.json ][main] JSON parse error, original data now in message field {:error=>#<LogStash::Json::ParserError: Unexpected character (',' (code 44)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
at [Source: (String)", "sgDuration": 203, "sgCategory": "Under1000ms", "CallerMemberName": "LogIfSlowExecution", "CallerFilePath": "X:\TC\sssssssssssssssssssssssssssssssssssssssss", "CallerLineNumber": 146 }
"; line: 1, column: 2]>, :data=>", "sgDuration": 203, "sgCategory": "Under1000ms", "CallerMemberName": "LogIfSlowExecution", "CallerFilePath": "ssssssssssssssssssssssssssssssssss", "CallerLineNumber": 146 }\r"}"
In file where logs is placed - original log:
{ "@timestamp": "2019-10-11T13:41:56.617Z", "event_timestamp": "2019-10-11T13:41:56.6171499Z", "level": "Warn", "Logger": "Creadhoc.Common.NH.SessionManager", "message": "SlowGet SessionManager Instance", "messageTemplate": "SlowGet SessionManager Instance", "MachineName": "ssssssssssss", "ApplicationType": "sssssssss", "Version": "0.0.0.0", "Branch": "release/0.0", "Environment": "Testing", "DeploymentDestination": "200171", "AspNET-MVC-Action": "Index", "AspNET-MVC-Controller": "ssssssss", "AspNET-Request-Host": "0.1.0.0", "AspNET-Request-Method": "GET", "AspNET-Request-Url": "http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/", "IIS-Site-Name": "xxxxxxxxxxxxxxxxxxxxxx", "sgDuration": 203, "sgCategory": "Under1000ms", "CallerMemberName": "LogIfSlowExecution", "CallerFilePath": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "CallerLineNumber": 146 }
This file contain multiple lines with JSONs. Some are loaded properly. Some no. Can help?
My import_logs.conf:
input {
file {
path => ["E:/**/log-*.json"]
# start_position => "beginning"
sincedb_path => "C:/ProgramData/Elastic/Logstash/file_track"
codec => json
ignore_older => 7200 # 2 hours
max_open_files => 16000
}
}filter {
if [Environment] =~ /^(?i)Production$/ {
mutate {
add_field => {
"Index" => "logs-prod-%{+yyyy.MM.dd}"
}
}
} else if [Environment] =~ /^(?i)Testing$/ {
mutate {
add_field => {
"Index" => "logs-testing-%{+yyyy.MM.dd}"
}
}
} else {
mutate {
add_field => {
"Index" => "logs-dev-%{+yyyy.MM.dd}"
}
}
}mutate {
remove_field => [ "host", "path", "event_timestamp" ]
}ruby {
# handle old NLog configurations where the "exception" (and others) field is ordinary string
code => "
if event.include?('exception') && event.get('exception').is_a?(String)
event.set('exception.json', event.get('exception'))
event.remove('exception')
endif event.include?('exception.Response') && event.get('exception.Response').is_a?(String) event.set('exception.ResponseString', event.get('exception.Response')) event.remove(exception.Response) end if event.include?('exception.State') && event.get('exception.State').is_a?(Numeric) event.set('exception.StateNumber', event.get('exception.State')) event.remove('exception.State') end if event.include?('exception.Code') && event.get('exception.Code').is_a?(String) event.set('exception.CodeString', event.get('exception.Code')) event.remove('exception.Code') end
if event.include?('exception.Errors.TypeMap.Profile.DefaultMemberConfig.NameMapper.NamedMappers') && event.get('exception.Errors.TypeMap.Profile.DefaultMemberConfig.NameMapper.NamedMappers').is_a?(String)
event.set('exception.Errors.TypeMap.Profile.DefaultMemberConfig.NameMapper.NamedMappersText', event.get('exception.Errors.TypeMap.Profile.DefaultMemberConfig.NameMapper.NamedMappers'))
event.remove('exception.Errors.TypeMap.Profile.DefaultMemberConfig.NameMapper.NamedMappers')
end
"
}}
output {
stdout { codec => rubydebug }elasticsearch {
id => "master_output"
hosts => [ "" ]
index => "%{[Index]}"
template => "C:/ProgramData/Elastic/Logstash/config/elasticsearch-template-es6x_doc.json"
manage_template => true
template_name => "logs"
template_overwrite => true
}}