时间戳

首页 > 解决方案 > LogStash::Json::ParserError: Unexpected character ('.' (code 46)): 需要空格分隔根级值

json - LogStash::Json::ParserError: Unexpected character ('.' (code 46)): 需要空格分隔根级值

问题描述

嗨,我从 logstash 收到此错误消息,因为没有生成新字段。似乎它与IP格式有关,只是因为我对其他领域没有问题。

[WARN ] 2020-09-21 00:32:19.286 [[main]>worker1] json - Error parsing json {:source=>"[layers][ip][ip_ip_src_host]", :raw=>"10.5.28.65", :exception=>#<LogStash::Json::ParserError: Unexpected character ('.' (code 46)): Expected space separating root-level values

我的logstash输入是:

 file {
    path => "/home/ubuntu/logstash/traffic/*pcap000.json"
    start_position => "beginning"
    sincedb_path => "NUL"
    codec => json {
      charset => "UTF-8"
    }

我的logstash json过滤器产生错误是:

json {
    source => "[layers][ip][ip_ip_src_host]"
    target => "ip_source"
  }

来源是

{"timestamp":"1599619294714","layers":{"frame":{"frame_frame_encap_type":"7","frame_frame_time":"2020-09-09T02:41:34.714912000Z","frame_frame_offset_shift":"0.000000000","frame_frame_time_epoch":"1599619294.714912000","frame_frame_time_delta":"0.016702000","frame_frame_time_delta_displayed":"0.016702000","frame_frame_time_relative":"7.899440000","frame_frame_number":"427","frame_frame_len":"48","frame_frame_cap_len":"48","frame_frame_marked":false,"frame_frame_ignored":false,"frame_frame_protocols":"raw:ip:tcp"},"raw":{},"ip":{"ip_ip_version":"4","ip_ip_hdr_len":"20","ip_ip_dsfield":"0x00000000","ip_ip_dsfield_dscp":"0","ip_ip_dsfield_ecn":"0","ip_ip_len":"48","ip_ip_id":"0x000019be","ip_ip_flags":"0x00004000","ip_ip_flags_rb":false,"ip_ip_flags_df":true,"ip_ip_flags_mf":false,"ip_ip_frag_offset":"0","ip_ip_ttl":"123","ip_ip_proto":"6","ip_ip_checksum":"0x0000d35e","ip_ip_checksum_status":"2","ip_ip_src":"10.5.28.65","ip_ip_addr":["10.5.28.65","172.253.63.104"],"ip_ip_src_host":"10.5.28.65","ip_ip_host":["10.5.28.65","172.253.63.104"],"ip_ip_dst":"172.253.63.104","ip_ip_dst_host":"172.253.63.104"},"tcp":{"tcp_tcp_srcport":"64291","tcp_tcp_dstport":"80","tcp_tcp_port":["64291","80"],"tcp_tcp_stream":"66","tcp_tcp_len":"0","tcp_tcp_seq":"0","tcp_tcp_seq_raw":"1365520139","tcp_tcp_nxtseq":"1","tcp_tcp_ack":"0","tcp_tcp_ack_raw":"0","tcp_tcp_hdr_len":"28","tcp_tcp_flags":"0x00000002","tcp_tcp_flags_res":false,"tcp_tcp_flags_ns":false,"tcp_tcp_flags_cwr":false,"tcp_tcp_flags_ecn":false,"tcp_tcp_flags_urg":false,"tcp_tcp_flags_ack":false,"tcp_tcp_flags_push":false,"tcp_tcp_flags_reset":false,"tcp_tcp_flags_syn":true,"_ws_expert":{"tcp_tcp_connection_syn":null,"_ws_expert__ws_expert_message":"Connection establish request (SYN): server port 80","_ws_expert__ws_expert_severity":"2097152","_ws_expert__ws_expert_group":"33554432"},"tcp_tcp_flags_fin":false,"tcp_tcp_flags_str":"··········S·","tcp_tcp_window_size_value":"8192","tcp_tcp_window_size":"8192","tcp_tcp_checksum":"0x0000d6c0","tcp_tcp_checksum_status":"2","tcp_tcp_urgent_pointer":"0","tcp_tcp_options":"02:04:03:84:01:01:04:02","tcp_options_mss":"02:04:03:84","tcp_tcp_option_kind":"2","tcp_tcp_option_len":"4","tcp_tcp_options_mss_val":"900","tcp_options_nop":["01","01"],"tcp_tcp_option_kind":["1","1"],"tcp_options_sack_perm":"04:02","tcp_tcp_option_kind":"4","tcp_tcp_option_len":"2","tcp_tcp_analysis":null,"tcp_tcp_analysis_flags":null,"_ws_expert":{"tcp_tcp_analysis_retransmission":null,"_ws_expert__ws_expert_message":"This frame is a (suspected) retransmission","_ws_expert__ws_expert_severity":"4194304","_ws_expert__ws_expert_group":"33554432"},"tcp_tcp_analysis_rto":"5.762189000","tcp_tcp_analysis_rto_frame":"102","text":"Timestamps","tcp_tcp_time_relative":"5.762189000","tcp_tcp_time_delta":"5.762189000"}}}

似乎 Ip 源字段应该转换为某种数据类型。但我真的不这样做,因为我是一个 logstash newby。任何帮助将不胜感激。

标签: jsonlogstash

解决方案

I don't know if this is the best way to do it but it works. My solution was

grok {
    match => {
      "[layers][ip][ip_ip_src]" => "%{IP:ip_source}$"
    }
  }

Clearly was an issue related to format.

推荐阅读