Stripping text from a JSON file

Toontje · March 21, 2017, 2:11pm

Hi all!

I have a valid JSON structure that is prepended with a fixed string and then a number. Something like:

RRR This is the leading string created at 01-01-2017 at 12:34:56:
{ 
     valid JSON 
}

So there is a fixes string "RRR This is the ...." and a variable part, the date and time. Ah, and BTW, the string is always the same length.
How do i use FileBeats or LogStash to strip off that leading string so i only get valid JSON in ES?

This is what i tried so far:

   input {
    beats {
        port => "5043"
    }
}

filter {
    mutate {
        gsub => ["message", "^(.*){", ""]
    }

    json {
        source => "data"
    }

    date {
        match => [ "receivedTime", "UNIX" ]
        target => "@timestamp"
    }
}

output {
  elasticsearch {
  hosts => [ "localhost:9200" ]
  index => filebeat
  }
}

and i keep getting the following message:

2017/03/21 18:26:01.644365 json.go:34: ERR Error decoding JSON: invalid character 'R' looking for beginning of value
2017/03/21 18:26:01.644428 json.go:34: ERR Error decoding JSON: json: cannot unmarshal number into Go value of type map[string]interface {}

Thanks,

Ton.

magnusbaeck · March 22, 2017, 6:22am

Do not configure Filebeat to treat the input as JSON, because it isn't JSON. Do make sure to configure the multiline feature so the lines are joined into a single logical message.

I don't see how the source option for your json filter could make sense. Where does the data field come from?

Toontje · March 22, 2017, 9:13am

Ok, removed the JSON from FileBeat, "data" is the top field in my JSON document. If all my log entries are on the same line, do i need the multiline?

magnusbaeck · March 22, 2017, 11:22am

If all my log entries are on the same line, do i need the multiline?

No.

Toontje · March 22, 2017, 6:34pm

Remember i'm still a newbie. After fighting a lot with regex i just solved it like this:

filter {
    grok {
        patterns_dir => ["./patterns"]
        match => { "message" => "%{DATA:todelete}: %{GREEDYDATA:message}" }
        remove_field => "todelete"
        overwrite => ["message"]
    }
   json {
       source => "message"
   }
   date {
       match => [ "receivedTime", "UNIX_MS" ]
   }
}

This works as i want it to work. Now i face the "Objects in arrays are not well supported" issue, but i will open another topic for this.

magnusbaeck · March 22, 2017, 8:08pm

Replace %{DATA:todelete} with %{DATA} and you won't need remove_field. You can also use a mutate filter's gsub option to trim the message field in-place.

system · April 19, 2017, 8:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Text removal from logs with Filebeat or Logstash Beats filebeat	3	466	March 31, 2020
JSON Logs Parsed with JSON codec but not JSON filter Logstash	3	1045	February 15, 2018
Moving from Logstash to Filebeat Beats filebeat	2	480	December 11, 2019
Need help with parsing json fields Logs	4	3701	April 15, 2019
Err: Error decoding JSON Beats filebeat	18	9001	March 24, 2017

Stripping text from a JSON file

Related topics