Re: ERROR JsonLineBreaker had parsing error:Unexpe...

Juhi28 · ‎01-14-2019

Hi,

I am getting below JSOnParser exception in one of my data source [json sourcetype]. Don't think there is any issue with inputs.conf currently in place. Please help?

ERROR JsonLineBreaker - JSON StreamId:7831683518768418639 had parsing error:Unexpected character while parsing backslash escape: '|' - data_source="L:\logs\app\ABC\abc.data.log", data_host="Host001", data_sourcetype="_json"

inputs.conf :-
[monitor://L:\logs\app\ABC\abc.data.log]
sourcetype = _json
index = mydata

OliveT · ‎06-12-2024

I had the same problem on a UF, checking the sourcetype props I noticed that there were magic 6 on the agent. After deleting them, the collection works again.

martin_mueller · ‎01-16-2019

Somewhere in that file abc.data.log there is a pipe character | that's breaking the JSON parsing. Find it.

martin_mueller · ‎01-17-2019

You've found the culprit? Great 🙂

Juhi28 · ‎01-16-2019

Yes correct, found an extra backslash character in the data itself which was breaking json source type.
However it took a lot of time to scan events and judge which event was exactly the culprit.

woodcock · ‎02-13-2019

You should click Accept to close the question.

martin_mueller · ‎01-15-2019

Okay... so, what's inside that file? Possibly filtered for "contains pipe char" and "happened around the time of the error"?

Juhi28 · ‎01-15-2019

@martin , i think i didn't understand your ask. we are already monitoring below logfile. Is it different from what you are asking.

[monitor://L:\logs\app\ABC\abc.data.log]
sourcetype = _json
index = mydata

nikita_p · ‎01-15-2019

Hi,
You should try deploying LINE_BREAKER in props.conf of your indexer
Try:

LINE_BREAKER = "uri":+[^}]+}(,[\r\n]+)
Or:

LINE_BREAKER = }(,[\r\n\s]+){[\r\n\s]+"line":\s1

PFB link in splunk answers and check for the accepted answers and the comments in that. This might help you.
https://answers.splunk.com/answers/700692/splunk-json-parsing-error.html

Juhi28 · ‎01-15-2019

Hi nikita, how were you able to infer that we should go by this line breaker.

nikita_p · ‎01-15-2019

As you have mentioned your log format is json, so this regex is for basic json files.
You can also check using INDEXED_EXTRACTIONS = JSON if this regex doesn't work.

martin_mueller · ‎01-15-2019

You could search the corresponding logfiles that should have been read around that time for a pipe character, for example. You've got the host and path in the message plus its timestamp.

Juhi28 · ‎01-15-2019

yes the log file is :- L:\logs\app\MMData\PM.Let.Marketjob.DEV.log.

This is the only log which is erring out.

martin_mueller · ‎01-15-2019

Judging from the [-] and the lack of double quotes I'm guessing that's an event splunk successfully parsed as JSON? A successful event isn't going to tell us what the broken events looked like.

Juhi28 · ‎01-15-2019

So how should i check which event breaked and resulted in "ERROR JsonLineBreaker - JSON StreamId:7831683518768418639 had parsing error:Unexpected character while parsing backslash escape: '|' -"

martin_mueller · ‎01-14-2019

It would help if you posted the content in your abc.data.log that caused the parsing error.

Juhi28 · ‎01-15-2019

Here is a sample data:

{ [-]
ClApp: Applicationname

ClHost: 144.xy.zz.155

ClRealm: Realm
ClUser: juhi28
Env: DEV
ExecMs: 0

ReqEnd: http://juhidev:8700/data/DataManagerService.svc

ReqType: POST

StackTrace:

Status: OK
class: XYZ.Live.DataLive.DataManagerService

host: VMA001NVMM
level: INFO

msg: View request for Random View
tid: CallerFilePath: e:\abc\xcv\wed\qas\int\svn_source\src\PIM\PLMDService\DM.svc.cs; CallerLineNumber: 86; CallerMemberArguments: Viewer,GNGFDwednes
ts: 2019-01-14 21:57:29.24
user: service_account

}

ERROR JsonLineBreaker had parsing error:Unexpected character while parsing backslash escape: '|'

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector