Filebeat doesn't send the message field to logstash

daniele.saccon · July 19, 2019, 1:16pm

Hello,

I have deployed Filebeat 6.8.1 in docker container, filebeat sends all the corrected data but the MESSAGE field is missing.

The input configuration is:

type: log
paths:
- '/var/lib/docker/containers//.log'
  json.message_key: log
  json.keys_under_root: true
  enabled: true
  encoding: utf-8
  fields:
  type: docker_filebeat_log
  environment: production
  processors:
- add_docker_metadata: ~

I tried also with input docker, in this case I have the message field but I no longer have the TIME field.

The input configuration is:

type: docker
containers.ids: '*'
encoding: utf-8
enabled: true
exclude_files: ['.gz$']
fields:
type: docker_filebeat_log
environment: production
processors:
- add_docker_metadata: ~

Can you help me solve one of the two cases?

Thanks

Daniele

jsoriano · July 19, 2019, 2:31pm

Hi @daniele.saccon and welcome

If you are using filebeat to collect docker logs, it'd be better if you try with the second option, using the docker input. The time field of docker logs is stored as the @timestamp.

daniele.saccon · July 19, 2019, 3:02pm

Hi @jsoriano, thanks

The @timestamp is overwritten? Is its original value lost?

Thanks

Daniele

jsoriano · July 19, 2019, 3:05pm

The time in the logs is used as the @timestamp.

system · August 16, 2019, 3:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Docker fields won't be added Beats docker , filebeat	3	297	April 8, 2020
Filebeat lost lines from docker json log file Beats docker , filebeat	1	389	July 24, 2020
Not able to read time field from docker logs Beats	8	1454	February 16, 2018
Filebeat cannot parse a custom @timestamp string Beats docker , filebeat	2	1568	November 20, 2020
Filebeat timestamp on docker input Beats filebeat	3	661	October 9, 2018

Filebeat doesn't send the message field to logstash

Related topics