Combine separated JSON logs in k8s

Dennis_Haseloff · September 7, 2021, 8:49am

Hi all,

We are using a filebeat daemon set with autodisocover to scrape all container logs which are all in the JSON logstash format. Using docker container runtime, the docker json-file driver splits bigger logs into 16kb parts, therefore the JSON is not valid and could not be parsed by the filebeat processor. Is it possible to use something like ‘combine_partial’ from the docker type filebeat inputs to archive a valid JSON?

This is the filebeat (partly) configuration we use

    filebeat.autodiscover:
      providers:
        - type: kubernetes
          node: ${NODE_NAME}
          hints:
            enabled: true
            default_config:
              type: container
              harvester_buffer_size: 32768
              containers.ids:
                - "${data.kubernetes.container.id}"
              enabled: false
              paths:
                - /var/log/containers/*${data.kubernetes.container.id}.log

Thanks a lot

Dennis

ChrsMark · September 8, 2021, 6:49am

Hi @Dennis_Haseloff !

I'm not sure if this is doable but maybe you can try using format option along with multiline. Please see Container input | Filebeat Reference [master] | Elastic for more information.

C.

system · October 6, 2021, 8:49am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat breaking up docker log lines Beats filebeat	3	799	September 26, 2018
Ingest mixed container logs with text and JSON [ECK][filebeat] Beats filebeat	3	1453	December 16, 2021
Parse json from selected pods only Beats docker , filebeat	2	712	February 20, 2020
Ingest mixed container logs with text and JSON [filebeat][docker] Logs	5	3555	June 9, 2021
Architecturally should filebeat handle nested json parsing or should it be moved to logstash? Beats filebeat	5	1849	September 21, 2016

Combine separated JSON logs in k8s

Related topics