Json parse error when json sent through postman on gelf

vinay · April 19, 2018, 12:25pm

Hi Team,

I have a json file as below, i am sending it through gelf.

{
    "message": "test",
    "timestamp": 1523522669364,
    "errorCode": "null",
}

timestamp is unix epoch format. (millis)

I am using the below pipeline rule to convert the timestamp to normal timestamp.

rule "XXX"
when
    has_field("message")
then
    let json = parse_json(to_string($message.message));
    let fields = select_jsonpath(json, {time:"$.timestamp"});
    set_fields(fields);
    let new_time = to_long($message.time);
    set_field("new_time1", new_time / 1000);
    let epoch = parse_date("1970-01-01T00:00:00", "yyyy-MM-dd'T'HH:mm:ss");
    let ts_seconds = seconds(to_long($message.new_time1));
    set_field("timestamp", epoch + ts_seconds);
end

When i simulate the json with the above pipeline, the timestamp is parsing accurately.

But when i send the json through postman on gelf, i am getting the below error in graylog logs.

2018-04-19 10:43:23,635 WARN : org.graylog.plugins.pipelineprocessor.functions.json.JsonParse - Unable to parse json
com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'test': was expecting ('true', 'false' or 'null')
at [Source: iot; line: 1, column: 7]

Could someone help.

Thanks in advance.

Regards,
Vinay.

jochen · April 19, 2018, 12:54pm

That’s not a valid GELF message. Please refer to http://docs.graylog.org/en/2.4/pages/gelf.html#gelf-payload-specification for details.

vinay:

2018-04-19 10:43:23,635 WARN : org.graylog.plugins.pipelineprocessor.functions.json.JsonParse - Unable to parse json
com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'test': was expecting ('true', 'false' or 'null')
at [Source: iot; line: 1, column: 7]

The string “test” (without the double quotes) is not a valid JSON structure.

vinay · April 20, 2018, 5:16am

can you please give an example valid gelf json

i am sending double qouted text “test” in message

jochen · April 20, 2018, 6:24am

I already linked to the GELF specification which includes several example messages.

vinay · April 20, 2018, 7:28am

Hi Jochen,

The json is getting indexed now. I am using the below rule.
rule “XXX”
when
has_field(“message”)
then
let json = parse_json(to_string(message.message)); let fields = select_jsonpath(json, {time:".timestamp"});
set_fields(fields);
let new_time = to_long($message.time);
set_field(“new_time1”, new_time / 1000);
let epoch = parse_date(“1970-01-01T00:00:00”, “yyyy-MM-dd’T’HH:mm:ss”);
let ts_seconds = seconds(to_long($message.new_time1));
set_field(“timestamp”, epoch + ts_seconds);
end
The problem is :
Simulator is giving the exact time,
but the indexed data has timestamp as 1970-01-01T00:00:00 (which is not correct)

system · May 4, 2018, 7:29am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Tomcat timestamp parsing problem Graylog Central (peer support)	3	476	October 28, 2022
Parse timestamp to graylog Graylog Central (peer support)	9	7005	August 25, 2017
Nginx GELF sending leading timestamp Graylog Central (peer support) pipeline-rules	3	1373	February 3, 2021
Pipeline. Timestamp dont change Graylog Central (peer support) pipeline-rules	3	468	June 8, 2021
Pipeline parsing and setting correct timestamp Graylog Central (peer support) pipeline-rules	11	12935	July 20, 2017

Json parse error when json sent through postman on gelf

Related Topics