[2018-05-16T00:44:29,119][WARN ][logstash.filters.json ] Error parsing json {:source=>"message", :raw=>"05/15/2018\t13:21:28:464\tCaller=WORK\tOperator=work\tMessage=GetRelationship\tVersion=005\tService=RelationshipServer\tServer=localhost\tKeyCnt=1\tKey=D1231231-3-2,\tMsgId=6e3e3f84-3f49-496d-a287-3b277a598538\tElapsedTime=64", :exception=>#<LogStash::Json::ParserError: Invalid numeric value: Leading zeroes not allowed
Steps to Reproduce:
Filebeat reads the log files, and publishes to topic in kafka. Logstash is reading the kafka topic, and the filter is applied. During the filter, json throws an error.
When kafka is not used, and filebeat sends directly to logstash there is no failure.
Cannot go to the log/app owner and ask for correction.
i.e. over-writing the message field with a string that is not JSON, then trying to parse that with a json filter. What does rubydebug produce if you remove the json filter?
I don't think you need a json filter. The fact that message refers to "05/15/2018\t13:21:28:464\tCaller=WORK\tOperator=work\tMessage=GetRelationship\tVersion=005 Service=RelationshipServer\tServer=localhost\tKeyCnt=1\tKey=D1231231-3-2,\tMsgId=6e3e3f84-3f49-496d-a287-3b277a598538\tElapsedTime=64" indicates it is already being parsed as JSON.
@Badger i tried reading the JSON msg directly, but it failed as we have a grok pattern.
Basically, Extracting the message out from Kafka Message using JSON filter, and then grok pattern the result.
What needs to be done to stop the JSONparse failure? any suggestion?
The answer is to remove the json filter. The incoming JSON has already been parsed and does not need to be parsed a second time. If you are talking about some other error please show the error, the configuration that produces it, and the 'stdout { codec => rubydebug }' output.
@Badger I have been trying different options. And what i see is, if we remove json filter, when inserted into elastic, key-values do not show up. It is the complete json message itself.
This is commonly misunderstood. Unless you are using pipelines.yml to point individual pipelines at different configuration files, logstash concatenates all the configuration files. If you point -f at a directory that contains app1.conf, app2. conf and app3. conf, it will read events from all the inputs, put them through every filter in every file (with the files ordered in dictionary sort order) then send the events to every output.
So if app1.conf has 'json { source => message }' it will overwrite the message field with the contents of "message": "05/15/2018\t13:21:28:464\tCaller=WORK...". Then if app2.conf also has 'json { source => message }' it will fail to parse that, since it is not valid JSON. You do not need the json filter in both files, unless you are using conditionals to make sure the filters are only applied to specific messages.
Yes, you can number the files to make the order clearer. It will still read from all the inputs, apply all the filters, and write the same events to every output unless you use conditionals.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.