Quick help required: Logstash 2.3.1 Grok Plugin Parse Error

GOPAL_SUDARSANAM · April 9, 2016, 9:56am

Hi,

Your quick help on the following issue is greatly appreciated.

We are getting the following error, when Logstash is executing grok filter.
The grok configuration was perfectly working earlier.

S/W versions:

Logstash 2.3.1 (logstash-all-plugins-2.3.1)
kafka plugin for Logstash - logstash-input-kafka (2.0.6)
Kafka - kafka_2.11-0.9.0.0
elasticsearch-2.2.0

ERROR:
{:timestamp=>"2016-04-09T04:35:13.222000-0500", :message=>"JSON parse failure. Falling back to plain-text", :error=>#<LogStash::Json::ParserError: Unexpected character ('-' (code 45)): Expected space separating root-level values
at [Source: [B@4b6f6b88; line: 1, column: 6]>, :data=>"2016-04-09 04:35:13,218 {"Timestamp":"2016-04-09T04:35:13.216-05:00","CorrelationID":"c7bac074-2985-446c-a21e-6bb50358d1cc","TransactionID":"cd400826-065e-44b2-8e19-a623915cea2e","ApplicationID":"XXX","Hostname":"xxx.xxx.com","HostIP":"xxx.xx.xx.xxx","Service":"TrainService","Operation":"getEvent","ApplicationOrServicetype":"REST","Operationtype":"GET","OperationURL":"http://xxxx:8080/xxx/track/train/T1111","Code":"BARES","Subcode":"EventService-getEvent-1","Payload":"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\" standalone=\\\"yes\\\"?>T111112,12AEI123D9999999","CarID":"T1111","BaseURI":"http://xxxx:8080/xxx/track/"}", :level=>:error}

GROK script:

filter {
grok {
match => { "message" => '%{DATESTAMP:MessageDate}[, ]%{NUMBER:milliseconds} %{GREEDYDATA:MessageData}' }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
json {
source => "MessageData"
}
mutate {
gsub => [
# Mask all sensitive data. NOTE: backslash need to be escaped
"Payload", '"sensitiveInfo"[=:]"."', '"sensitiveInfo":"[REDACTED]"',
"MessageData", '\\"sensitiveInfo\\"[=:]\\".\\"', '\"sensitiveInfo\":\"[REDACTED]\"',
"Payload", ".", "[REDACTED]",
"MessageData", ".", "[REDACTED]"
]
}
}

magnusbaeck · April 12, 2016, 6:29pm

Why are all the double quotes in your post escaped?

{:timestamp=>"2016-04-09T04:35:13.222000-0500", :message=>"JSON parse failure. Falling back to plain-text", ...

This indicates that you're using the json codec for your kafka input, but that's a bad idea since the payload obviously isn't pure JSON. Switch to the plain codec instead.

match => { "message" => '%{DATESTAMP:MessageDate}[, ]%{NUMBER:milliseconds} %{GREEDYDATA:MessageData}' }

If you look at the definition of DATESTAMP,

github.com

logstash-plugins/logstash-patterns-core/blob/v2.0.5/patterns/grok-patterns#L66-L72


      
          DATE_US %{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}
          DATE_EU %{MONTHDAY}[./-]%{MONTHNUM}[./-]%{YEAR}
          ISO8601_TIMEZONE (?:Z|[+-]%{HOUR}(?::?%{MINUTE}))
          ISO8601_SECOND (?:%{SECOND}|60)
          TIMESTAMP_ISO8601 %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?
          DATE %{DATE_US}|%{DATE_EU}
          DATESTAMP %{DATE}[- ]%{TIME}

you'll see that it won't match your timestamp. Use TIMESTAMP_ISO8601 instead (and then you don't have to capture the milliseconds separately).

With those corrections I think it'll work.

Topic		Replies	Views
Logstash shows parsing error for json files Logstash	1	201	May 19, 2021
Logstash Json Parsing Error Logstash	2	220	August 25, 2023
Logstash config JSON parse error Logstash	4	1838	October 29, 2019
JSON parse failure. Falling back to plain-text Logstash	1	770	November 26, 2018
Elastic search parsing error Elasticsearch	10	17	October 14, 2024

Quick help required: Logstash 2.3.1 Grok Plugin Parse Error

Related topics