Can Logstash output a read JSON-line as an event with multiple fields?

Mattness · March 31, 2020, 7:16am

Hello,

so I am trying to feed logdata to Elasticsearch. At first I tried Filebeat but that method did just read 1 line of JSON and converted it into one field called "message".

For that reason I switched to Logstash only to find that it behaves exactly the same. It reads one line of the JSON in the log file and puts it into a field called "message".

My problem is that I want to actually work with the data, e.g. create Kibana visualizations. But in order for that to work I need the data in this format:

1 line of JSON = 1 event with as many fields as there are properties. I guess I almost want something like deserialization. I logstash or any part of the ELK capable of this?

Robo · March 31, 2020, 8:19am

In case your logs are already in json, use json filter in the pipeline
https://www.elastic.co/guide/en/logstash/current/plugins-filters-json.html

    filter {
      json {
        source => "message"
      }
    }

Of course it also works with filebeat:
https://www.elastic.co/guide/en/beats/filebeat/current/decode-json-fields.html

processors:
 - decode_json_fields:
     fields: ['message']
     target: json

If you have regular single/multiline messages, use grok or dissect filter to extract the values.

Mattness · March 31, 2020, 9:10am

Thank you so much. I did not even think about filters ...

You really helped me out!

Topic		Replies	Views
Configure log file, into json format Logstash	6	7343	July 6, 2017
Parsing a long json line with filebeat to logstash Beats filebeat	6	3145	September 24, 2018
Parse Json data wrapped in "message" into event fields Logstash	6	10946	July 6, 2017
Obtener un json de una entrada de log Logstash	9	1127	February 26, 2019
JSON Input showing up line by line Beats filebeat	2	551	May 22, 2017

Can Logstash output a read JSON-line as an event with multiple fields?

Related topics