Filebeat 5.0.0-alpha3 not parsing the JSON messages, it shows up as a string


#1

Hi,
I am sending logs from Filebeat to Elasticsearch directly. My logs are in JSON format and some have nested JSON objects too. I am using Filebeat 5.0.0-alpha3 version for parsing the log files, but I still see the JSON messages as a string on Kibana:

I want the message to be shown as message.message "".

How can I get this working?

My filebeat.yml is as below:

filebeat:
 prospectors:

# Each - is a prospector. Most options can be set at the prospector level, so
# you can use different prospectors for various configurations.
# Below are the prospector specific configurations.

 -
  input_type: log


  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /home/resources/sample2.log
    # - /home/MXFiles/facade/logs/debug.log
    #- c:\programdata\elasticsearch\logs\*

  # Exclude lines. A list of regular expressions to match. It drops the lines that are
  # matching any regular expression from the list.
  #exclude_lines: ["^DBG"]

  # Include lines. A list of regular expressions to match. It exports the lines that are
  # matching any regular expression from the list.
  #include_lines: ["^ERR", "^WARN"]

  # Exclude files. A list of regular expressions to match. Filebeat drops the files that
  # are matching any regular expression from the list. By default, no files are dropped.
  #exclude_files: [".gz$"]

  # Optional additional fields. These field can be freely picked
  # to add additional information to the crawled log files for filtering
  #fields:
  #  level: debug
  #  review: 1

  ### Multiline options

  # Mutiline can be used for log messages spanning multiple lines. This is common
  # for Java Stack Traces or C-Line Continuation

  # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [
  # multiline.pattern: ^\{

  # Defines if the pattern set under pattern should be negated or not. Default is false.
  #multiline.negate: true

  # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern
  # that was (not) matched before or after or as long as a pattern is not matched based on negate.
  # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash
  #multiline.match: after
  json:
        message_key: log
        keys_under_root: true
        overwrite_keys: true

(ruflin) #2

Can you share some example log lines?


#3

Here is a sample log from the file:

{"time": "2016-06-22T09:06:41.120Z", "level": "INFO", "category": "sample.js", "hostname": "xxx", "message": {"message":"[*] Waiting for messages in agentUpdates."}}


(ruflin) #4

It looks like your message is actually under message.message and not log. @tudor Is it possible to have nested fields for the message key?


(system) #5

This topic was automatically closed after 21 days. New replies are no longer allowed.