Trouble with escaped fields in nested JSON... Causing LogStash Json ParserError: Unrecognized token

steven-lacher · April 23, 2018, 1:41pm

I'm having trouble parsing nested JSON from events. I'm concerned I'm not dealing with the escaped quotation marks properly, or missing some interim step.

Original entry as written to the log
{"timeMillis":1524260622838,"thread":"https-jsse-nio-8004-exec-10","level":"INFO","loggerName":"xor.bcmc.flarecloud.utils.http.filter.ReqResFilter","message":"Response sent: {\"response\":{\"status-code\":200,\"headers\":[{\"content-encoding\":\"UTF-8\",\"content-type\":\"application/json;charset=UTF-8\"},{},{\"X-Content-Type-Options\":\"nosniff\"},{\"X-XSS-Protection\":\"1; mode=block\"},{\"Cache-Control\":\"no-cache, no-store, max-age=0, must-revalidate\"},{\"Pragma\":\"no-cache\"},{\"Expires\":\"0\"},{\"Strict-Transport-Security\":\"max-age=31536000 ; includeSubDomains\"},{\"X-Frame-Options\":\"DENY\"},{\"Set-Cookie\":\"JSESSIONID=74A1B323C877C840F3E00232697F9BF1; Path=/; Secure; HttpOnly\"},{\"X-Application-Context\":\"users:8004\"},{\"Content-Type\":\"application/json;charset=UTF-8\"},{\"Transfer-Encoding\":\"chunked\"},{\"Date\":\"Fri, 20 Apr 2018 21:43:42 GMT\"}],\"message-body\":{\"_id\":\"0\",\"username\":\"admin\",\"password\":\"$2a$10$HfDlF5ylNQAJSAe/bZer5e0Ync5QK/Qo8u/sFWJd2Us014FKBWmH2\",\"roles\":[{\"role\":\"ROLE_ADMIN\"}],\"tags\":[],\"certificate\":{\"id\":\"5ada5170bf15d3269b8052d7\",\"issuer_hash\":50917989,\"serial_number\":13798258158239537265,\"not_before\":\"2017-09-12T20:00:13Z\",\"not_after\":\"2018-09-12T20:00:13Z\"}}}}","endOfBatch":false,"loggerFqcn":"org.apache.logging.slf4j.Log4jLogger","contextMap":{"x-transaction-id":"802ec34b-fbc3-4728-b0ad-fd1c582f05c8"},"threadId":43,"threadPriority":5}

Filter config
filter {

    json {
        source => "message"
        target => "jlog"
      }

    grok {
        match => { "[jlog]" => "(Response sent:) %{GREEDYDATA:object}" }
      }  

    mutate {
      gsub => ["object","[\\]",""]
    }  

      json {
        source => "[object]"
        target => "jobject"
      }


      mutate {
        add_field => {
          "status-code" => "%{[object][status-code]}"
        }
      }
}

Error displayed in logstash-plain.log

[2018-04-20T21:44:33,601][WARN ][logstash.filters.json    ] Error parsing json {:source=>"[object]", :raw=>"{\"response\":{\"status-code\":200,\"headers\":[{\"content-encoding\":\"UTF-8\",\"content-type\":\"application/json;charset=UTF-8\"},{},{\"X-Content-Type-Options\":\"nosniff\"},{\"X-XSS-Protection\":\"1; mode=block\"},{\"Cache-Control\":\"no-cache, no-store, max-age=0, must-revalidate\"},{\"Pragma\":\"no-cache\"},{\"Expires\":\"0\"},{\"Strict-Transport-Security\":\"max-age=31536000 ; includeSubDomains\"},{\"X-Frame-Options\":\"DENY\"},{\"Set-Cookie\":\"JSESSIONID=74A1B323C877C840F3E00232697F9BF1; Path=/; Secure; HttpOnly\"},{\"X-Application-Context\":\"users:8004\"},{\"Content-Type\":\"application/json;charset=UTF-8\"},{\"Transfer-Encoding\":\"chunked\"},{\"Date\":\"Fri, 20 Apr 2018 21:43:42 GMT\"}],\"message-body\":{\"_id\":\"0\",\"username\":\"admin\",\"password\":\"$2a$10$HfDlF5ylNQAJSAe/bZer5e0Ync5QK/Qo8u/sFWJd2Us014FKBWmH2\",\"roles\":[{\"role\":\"ROLE_ADMIN\"}],\"tags\":[],\"certificate\":{\"id\":\"5ada5170bf15d3269b8052d7\",\"issuer_hash\":50917989,\"serial_number\":13798258158239537265,\"not_before\":\"2017-09-12T20:00:13Z\",\"not_after\":\"2018-09-12T20:00:13Z\"}}}}\", \"threadId\"=>43}", :exception=>#<LogStash::Json::ParserError: Unrecognized token 'threadId': was expecting 'null', 'true', 'false' or NaN
 at [Source: (byte[])"{"response":{"status-code":200,"headers":[{"content-encoding":"UTF-8","content-type":"application/json;charset=UTF-8"},{},{"X-Content-Type-Options":"nosniff"},{"X-XSS-Protection":"1; mode=block"},{"Cache-Control":"no-cache, no-store, max-age=0, must-revalidate"},{"Pragma":"no-cache"},{"Expires":"0"},{"Strict-Transport-Security":"max-age=31536000 ; includeSubDomains"},{"X-Frame-Options":"DENY"},{"Set-Cookie":"JSESSIONID=74A1B323C877C840F3E00232697F9BF1; Path=/; Secure; HttpOnly"},{"X-Application-"[truncated 507 bytes]; line: 1, column: 1003]>}

magnusbaeck · April 23, 2018, 2:19pm

Multiple problems:

The JSON string you want to parse is in the [jlog][message] field, not [jlog].
Don't remove any backslashes with gsub.

steven-lacher · April 23, 2018, 3:04pm

To be clear, you're saying in the grok filter to use [jlog][message]?

Like so?

filter {
    
    json {
        source => "message"
        target => "jlog"
      }

    grok {
        match => { "[jlog][message]" => "(Response sent:) %{GREEDYDATA:object}" }
      }  

      json {
        source => "[object]"
        target => "jobject"
      }


      mutate {
        add_field => {
          "status-code" => "%{[object][status-code]}"
        }
      }
}

magnusbaeck · April 23, 2018, 5:42pm

Yes, this should work. Why not try it out? Build your set of filters gradually and you'll see what works and what doesn't.

Speaking of things that don't work, your final mutate attempts to address a subfield from the string field. object. The parsed JSON string is in the jobject field, and the status-code subfield is nested even further down so what you're looking for is %{[jobject][response][status-code]}.

steven-lacher · April 23, 2018, 6:21pm

That works beautifully! Thank you very much!

system · May 21, 2018, 6:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Nested json imposible to parse Logstash	7	1505	July 6, 2017
Nested json as a string field Logstash	3	1643	February 13, 2019
Error while parsing nested json on filebeat Logstash	1	389	August 31, 2022
My nested json is not getting parsed correctly, need help pls Logstash	4	637	May 2, 2020
Unable to parse nested json using logstash json filter Logstash	6	1187	October 16, 2019

Trouble with escaped fields in nested JSON... Causing LogStash Json ParserError: Unrecognized token

Related topics