LogStash::Json::ParserError:意外字符('.‘(代码46)):期望的分隔根级值的空格
LogStash::Json::ParserError:意外字符('.‘(代码46)):期望的分隔根级值的空格
提问于 2020-09-22 01:29:28
您好,我从logstash收到这个错误消息,因为它没有生成新的字段。因为我在其他领域没有问题,所以这似乎与IP格式有关。
[WARN ] 2020-09-21 00:32:19.286 [[main]>worker1] json - Error parsing json {:source=>"[layers][ip][ip_ip_src_host]", :raw=>"10.5.28.65", :exception=>#<LogStash::Json::ParserError: Unexpected character ('.' (code 46)): Expected space separating root-level values我的logstash输入是:
file {
path => "/home/ubuntu/logstash/traffic/*pcap000.json"
start_position => "beginning"
sincedb_path => "NUL"
codec => json {
charset => "UTF-8"
}我的logstash json过滤器会产生错误,它是:
json {
source => "[layers][ip][ip_ip_src_host]"
target => "ip_source"
}它的来源是
{"timestamp":"1599619294714","layers":{"frame":{"frame_frame_encap_type":"7","frame_frame_time":"2020-09-09T02:41:34.714912000Z","frame_frame_offset_shift":"0.000000000","frame_frame_time_epoch":"1599619294.714912000","frame_frame_time_delta":"0.016702000","frame_frame_time_delta_displayed":"0.016702000","frame_frame_time_relative":"7.899440000","frame_frame_number":"427","frame_frame_len":"48","frame_frame_cap_len":"48","frame_frame_marked":false,"frame_frame_ignored":false,"frame_frame_protocols":"raw:ip:tcp"},"raw":{},"ip":{"ip_ip_version":"4","ip_ip_hdr_len":"20","ip_ip_dsfield":"0x00000000","ip_ip_dsfield_dscp":"0","ip_ip_dsfield_ecn":"0","ip_ip_len":"48","ip_ip_id":"0x000019be","ip_ip_flags":"0x00004000","ip_ip_flags_rb":false,"ip_ip_flags_df":true,"ip_ip_flags_mf":false,"ip_ip_frag_offset":"0","ip_ip_ttl":"123","ip_ip_proto":"6","ip_ip_checksum":"0x0000d35e","ip_ip_checksum_status":"2","ip_ip_src":"10.5.28.65","ip_ip_addr":["10.5.28.65","172.253.63.104"],"ip_ip_src_host":"10.5.28.65","ip_ip_host":["10.5.28.65","172.253.63.104"],"ip_ip_dst":"172.253.63.104","ip_ip_dst_host":"172.253.63.104"},"tcp":{"tcp_tcp_srcport":"64291","tcp_tcp_dstport":"80","tcp_tcp_port":["64291","80"],"tcp_tcp_stream":"66","tcp_tcp_len":"0","tcp_tcp_seq":"0","tcp_tcp_seq_raw":"1365520139","tcp_tcp_nxtseq":"1","tcp_tcp_ack":"0","tcp_tcp_ack_raw":"0","tcp_tcp_hdr_len":"28","tcp_tcp_flags":"0x00000002","tcp_tcp_flags_res":false,"tcp_tcp_flags_ns":false,"tcp_tcp_flags_cwr":false,"tcp_tcp_flags_ecn":false,"tcp_tcp_flags_urg":false,"tcp_tcp_flags_ack":false,"tcp_tcp_flags_push":false,"tcp_tcp_flags_reset":false,"tcp_tcp_flags_syn":true,"_ws_expert":{"tcp_tcp_connection_syn":null,"_ws_expert__ws_expert_message":"Connection establish request (SYN): server port 80","_ws_expert__ws_expert_severity":"2097152","_ws_expert__ws_expert_group":"33554432"},"tcp_tcp_flags_fin":false,"tcp_tcp_flags_str":"··········S·","tcp_tcp_window_size_value":"8192","tcp_tcp_window_size":"8192","tcp_tcp_checksum":"0x0000d6c0","tcp_tcp_checksum_status":"2","tcp_tcp_urgent_pointer":"0","tcp_tcp_options":"02:04:03:84:01:01:04:02","tcp_options_mss":"02:04:03:84","tcp_tcp_option_kind":"2","tcp_tcp_option_len":"4","tcp_tcp_options_mss_val":"900","tcp_options_nop":["01","01"],"tcp_tcp_option_kind":["1","1"],"tcp_options_sack_perm":"04:02","tcp_tcp_option_kind":"4","tcp_tcp_option_len":"2","tcp_tcp_analysis":null,"tcp_tcp_analysis_flags":null,"_ws_expert":{"tcp_tcp_analysis_retransmission":null,"_ws_expert__ws_expert_message":"This frame is a (suspected) retransmission","_ws_expert__ws_expert_severity":"4194304","_ws_expert__ws_expert_group":"33554432"},"tcp_tcp_analysis_rto":"5.762189000","tcp_tcp_analysis_rto_frame":"102","text":"Timestamps","tcp_tcp_time_relative":"5.762189000","tcp_tcp_time_delta":"5.762189000"}}}似乎Ip源字段应该转换为某种数据类型。但我真的不喜欢,因为我是个木头纽比。任何帮助都将不胜感激。
回答 1
Stack Overflow用户
发布于 2020-09-22 18:31:36
我不知道这是不是最好的方法,但它是有效的。我的解决方案是
grok {
match => {
"[layers][ip][ip_ip_src]" => "%{IP:ip_source}$"
}
}显然,这是一个与格式有关的问题。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/63997243
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号