Unexpected character '<'

colix · February 28, 2019, 3:00pm

Hi, i sent json log to logstash.

Logstash config:

input {
udp {
port => 5001
codec => "json"
}
}

filter {
     json {
     source => "message"
}
}

output {
if [type] == "rsyslog" {
elasticsearch {
hosts => [ "elasticsearch:9200" ]
}
}
}

But log on logstash container deliver with bad prefix - <190>1 and etc.

I can't parse json log.

How i can remove this prefix?

   2019-02-28T14:48:05.337654192Z [2019-02-28T14:48:05,337][ERROR][logstash.codecs.json     ] JSON parse error, original data now in message field {:error=>#<LogStash::Json::ParserError: Unexpected character ('<' (code 60)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
    2019-02-28T14:48:05.337685673Z  at [Source: (String)"<190>1 2019-02-28T17:47:58+03:00 rnis-fpo-t1sync-2 php-t1sync 1021 - - {"message":"Register service [com.rnis.t1sync] with subjects","context":[["com.rnis.t1sync.action.history","com.rnis.t1sync.action.mileage","com.rnis.t1sync.action.odometr","com.rnis.t1sync.action.motohours","com.rnis.t1sync.action.odometr.multiple","com.rnis.t1sync.action.history.multiple","com.rnis.t1sync.action.device.find","com.rnis.t1sync.action.device.score","com.rnis.t1sync.action.device.tachograph","com.rnis.t1sync.ac"[truncated 403 chars]; line: 1, column: 2]>, :data=>"<190>1 2019-02-28T17:47:58+03:00 rnis-fpo-t1sync-2 php-t1sync 1021 - - {\"message\":\"Register service [com.rnis.t1sync] with subjects\",\"context\":[[\"com.rnis.t1sync.action.history\",\"com.rnis.t1sync.action.mileage\",\"com.rnis.t1sync.action.odometr\",\"com.rnis.t1sync.action.motohours\",\"com.rnis.t1sync.action.odometr.multiple\",\"com.rnis.t1sync.action.history.multiple\",\"com.rnis.t1sync.action.device.find\",\"com.rnis.t1sync.action.device.score\",\"com.rnis.t1sync.action.device.tachograph\",\"com.rnis.t1sync.action.extended_data\",\"com.rnis.t1sync.action.device.arhived_telematics\",\"com.rnis.system.event.status.collect\"]],\"level\":200,\"level_name\":\"INFO\",\"channel\":\"lumen\",\"datetime\":{\"date\":\"2019-02-28 17:47:58.960518\",\"timezone_type\":3,\"timezone\":\"Europe/Moscow\"},\"extra\":[],\"timestamp\":\"2019-02-28T17:47:58.960518+0300\",\"service\":\"t1sync\",\"env\":\"production\",\"hostname\":\"rnis-fpo-t1sync-2\",\"ip\":\"10.42.88.188\"}\n"

Badger · February 28, 2019, 3:23pm

You should not have both a json codec and a json filter. In this case you need to use a json filter.

    dissect { mapping => { "message" => "<%{pri}>%{item1} %{ts} %{hostname} %{item2} %{item3} - - %{restOfLine}" } }
    json { source => "restOfLine" }

colix · February 28, 2019, 8:00pm

Even if i don't use json filter i have bad prefix

system · March 28, 2019, 8:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
JSON parse error, original data now in message field Logstash	4	9313	September 7, 2017
Grok filter help Logstash	5	1363	July 6, 2017
JSON parser error Logstash	6	667	May 28, 2021
LogStash::Json::ParserError: Unexpected character ('(' (code 40)) Logstash	10	1516	August 9, 2022
JSON parse error, original data now in message field {:message=>"Unexpected character ('<' (code 60)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')\n at [Source: (String) Logstash	12	5533	February 1, 2023

Unexpected character '<'

Related topics