Logstash does not parse json

Question

When i see results in Kibana, i see that there are no fields from JSON, more over, message field contains only \"status\" : \"FAILED\".

Is

Answer 1

Yes. you need to add a filter to your config, something like this.

filter{
    json{
        source => "message"
    }
}

It's described pretty well in the docs here

EDIT The json codec doesn't seem to like having an array passed in. A single element works with this config:

Input:

{"uid":"441d1d1dd296fe60","name":"test_buylinks","title":"Testbuylinks","time":{"start":1419621623182,       "stop":1419621640491,"duration":17309      },      "severity":"NORMAL",      "status":"FAILED"   }

Logstash Result:

{
      "message" => "{\"uid\":\"441d1d1dd296fe60\",\"name\":\"test_buylinks\",\"title\":\"Testbuylinks\",\"time\":{\"start\":1419621623182,       \"stop\":1419621640491,\"duration\":17309      },      \"severity\":\"NORMAL\",      \"status\":\"FAILED\"   }",
     "@version" => "1",
   "@timestamp" => "2015-02-26T23:25:12.011Z",
         "host" => "emmet.local",
          "uid" => "441d1d1dd296fe60",
         "name" => "test_buylinks",
        "title" => "Testbuylinks",
         "time" => {
          "start" => 1419621623182,
           "stop" => 1419621640491,
       "duration" => 17309
   },
     "severity" => "NORMAL",
       "status" => "FAILED"

}

Now with an array:

Input

[{"uid":"441d1d1dd296fe60","name":"test_buylinks","title":"Testbuylinks","time":{"start":1419621623182,       "stop":1419621640491,"duration":17309      },      "severity":"NORMAL",      "status":"FAILED"   }, {"uid":"441d1d1dd296fe60","name":"test_buylinks","title":"Testbuylinks","time":{"start":1419621623182,       "stop":1419621640491,"duration":17309      },      "severity":"NORMAL",      "status":"FAILED"   }]

Result:

Trouble parsing json {:source=>"message", :raw=>"[{\"uid\":\"441d1d1dd296fe60\",\"name\":\"test_buylinks\",\"title\":\"Testbuylinks\",\"time\":{\"start\":1419621623182,       \"stop\":1419621640491,\"duration\":17309      },      \"severity\":\"NORMAL\",      \"status\":\"FAILED\"   }, {\"uid\":\"441d1d1dd296fe60\",\"name\":\"test_buylinks\",\"title\":\"Testbuylinks\",\"time\":{\"start\":1419621623182,       \"stop\":1419621640491,\"duration\":17309      },      \"severity\":\"NORMAL\",      \"status\":\"FAILED\"   }]", :exception=>#<TypeError: can't convert Array into Hash>, :level=>:warn}
{
      "message" => "[{\"uid\":\"441d1d1dd296fe60\",\"name\":\"test_buylinks\",\"title\":\"Testbuylinks\",\"time\":{\"start\":1419621623182,       \"stop\":1419621640491,\"duration\":17309      },      \"severity\":\"NORMAL\",      \"status\":\"FAILED\"   }, {\"uid\":\"441d1d1dd296fe60\",\"name\":\"test_buylinks\",\"title\":\"Testbuylinks\",\"time\":{\"start\":1419621623182,       \"stop\":1419621640491,\"duration\":17309      },      \"severity\":\"NORMAL\",      \"status\":\"FAILED\"   }]",
     "@version" => "1",
   "@timestamp" => "2015-02-26T23:28:21.195Z",
         "host" => "emmet.local",
         "tags" => [
       [0] "_jsonparsefailure"
   ]
}

This looks like a bug in the codec, can you change your messages to an object rather than an array?

Answer 2

Reading in a file containing a JSON array is way harder than it should be. Below is a working pipeline configuration

input {
  exec {
    command => "cat /path/file_containing_json_array.txt"
    codec => "json"
    interval => 3600
  }
}

output {
  stdout {
    codec => rubydebug
  }
}

Answer 3

Try the json_lines codec instead of json. This must have been added recently. In your particular case, you'd first want to change your output from a list of json to newline-delimited json.

http://logstash.net/docs/1.4.0/codecs/json_lines

This codec will decode streamed JSON that is newline delimited. For decoding JSON payload in the redis input for example, use the json codec instead. Encoding will emit a single JSON string ending in a '\n'