Getting Data In

ERROR JsonLineBreaker had parsing error:Unexpected character while parsing backslash escape: '|'

Juhi28
New Member

Hi,

I am getting below JSOnParser exception in one of my data source [json sourcetype]. Don't think there is any issue with inputs.conf currently in place. Please help?

ERROR JsonLineBreaker - JSON StreamId:7831683518768418639 had parsing error:Unexpected character while parsing backslash escape: '|' - data_source="L:\logs\app\ABC\abc.data.log", data_host="Host001", data_sourcetype="_json"

inputs.conf :-
[monitor://L:\logs\app\ABC\abc.data.log]
sourcetype = _json
index = mydata

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Somewhere in that file abc.data.log there is a pipe character | that's breaking the JSON parsing. Find it.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You've found the culprit? Great 🙂

0 Karma

Juhi28
New Member

Yes correct, found an extra backslash character in the data itself which was breaking json source type.
However it took a lot of time to scan events and judge which event was exactly the culprit.

0 Karma

woodcock
Esteemed Legend

You should click Accept to close the question.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Okay... so, what's inside that file? Possibly filtered for "contains pipe char" and "happened around the time of the error"?

0 Karma

Juhi28
New Member

@martin , i think i didn't understand your ask. we are already monitoring below logfile. Is it different from what you are asking.

[monitor://L:\logs\app\ABC\abc.data.log]
sourcetype = _json
index = mydata

0 Karma

nikita_p
Contributor

Hi,
You should try deploying LINE_BREAKER in props.conf of your indexer
Try:

LINE_BREAKER = "uri":+[^}]+}(,[\r\n]+)
Or:

LINE_BREAKER = }(,[\r\n\s]+){[\r\n\s]+"line":\s1

PFB link in splunk answers and check for the accepted answers and the comments in that. This might help you.
https://answers.splunk.com/answers/700692/splunk-json-parsing-error.html

0 Karma

Juhi28
New Member

Hi nikita, how were you able to infer that we should go by this line breaker.

0 Karma

nikita_p
Contributor

As you have mentioned your log format is json, so this regex is for basic json files.
You can also check using INDEXED_EXTRACTIONS = JSON if this regex doesn't work.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You could search the corresponding logfiles that should have been read around that time for a pipe character, for example. You've got the host and path in the message plus its timestamp.

0 Karma

Juhi28
New Member

yes the log file is :- L:\logs\app\MMData\PM.Let.Marketjob.DEV.log.

This is the only log which is erring out.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Judging from the [-] and the lack of double quotes I'm guessing that's an event splunk successfully parsed as JSON? A successful event isn't going to tell us what the broken events looked like.

0 Karma

Juhi28
New Member

So how should i check which event breaked and resulted in "ERROR JsonLineBreaker - JSON StreamId:7831683518768418639 had parsing error:Unexpected character while parsing backslash escape: '|' -"

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

It would help if you posted the content in your abc.data.log that caused the parsing error.

0 Karma

Juhi28
New Member

Here is a sample data:

{ [-]
ClApp: Applicationname

ClHost: 144.xy.zz.155

ClRealm: Realm
ClUser: juhi28
Env: DEV
ExecMs: 0

ReqEnd: http://juhidev:8700/data/DataManagerService.svc

ReqType: POST

StackTrace:

Status: OK
class: XYZ.Live.DataLive.DataManagerService

host: VMA001NVMM
level: INFO

msg: View request for Random View
tid: CallerFilePath: e:\abc\xcv\wed\qas\int\svn_source\src\PIM\PLMDService\DM.svc.cs; CallerLineNumber: 86; CallerMemberArguments: Viewer,GNGFDwednes
ts: 2019-01-14 21:57:29.24
user: service_account

}

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...