This is the document I am using to test the pipeline:
[{"_index":"filebeat-7.13.2-2021.11.26-000253","_id":"id","_source":
{
"@timestamp": "2021-11-26T12:37:50.258Z",
"@metadata": {
"beat": "filebeat",
"type": "_doc",
"version": "7.13.2"
},
"ecs": {
"version": "1.8.0"
},
"host": {
"name": "server1",
"mac": [
"xx:xx:xx:xx:xx:xx",
"xx:xx:xx:xx:xx:xx"
],
"hostname": "server1",
"architecture": "x86_64",
"os": {
"name": "Ubuntu",
"kernel": "4.15.0-159-generic",
"codename": "bionic",
"type": "linux",
"platform": "ubuntu",
"version": "18.04.5 LTS (Bionic Beaver)",
"family": "debian"
},
"id": "123123123123123123",
"containerized": false,
"ip": [
"123.123.123.123",
"1234::1234:1234:1234:1234"
]
},
"agent": {
"hostname": "server1",
"ephemeral_id": "abc1234-1234-1234-1234-abc123abc123",
"id": "d208eb89-1234-1234-1234-abc123abc123",
"name": "server1",
"type": "filebeat",
"version": "7.13.2"
},
"cloud": {
"service": {
"name": "virtualmachine"
},
"provider": "Provider",
"instance": {
"id": "123123123"
},
"region": "abc3"
},
"container": {
"id": "myfile_log.csv"
},
"log": {
"offset": 3481619131,
"file": {
"path": "/mnt/myfile_log.csv"
},
"flags": [
"multiline"
]
},
"message": "3,https://mysite.com/folder/qs?parameter1=ABC&page=1,,GET,null,'{\"Host\":[\"www.mysite.com\"],\"Authorization\":[\"Bearer abc-fgh-IJ\"],\"Accept\":[\"application\\/app.version.v5+json\"],\"Content-Type\":[\"application\\/app.version.v5+json\"],\"User-Agent\":[\"Agent\\/1.6.0\"]}',,200,'{\"Server\":[\"nginx\"],\"Date\":[\"Fri, 26 Nov 2021 12:19:09 GMT\"],\"Content-Type\":[\"application\\/app.version.v5+json;charset=UTF-8\"],\"Transfer-Encoding\":[\"chunked\"],\"Connection\":[\"keep-alive\"],\"Vary\":[\"Origin\",\"Access-Control-Request-Method\",\"Access-Control-Request-Headers\",\"Origin,Access-Control-Request-Method,Access-Control-Request-Headers\"],\"X-RateLimit-Limit\":[\"25\"],\"X-RateLimit-Remaining\":[\"24\"],\"X-RateLimit-Reset\":[\"51\"],\"x-request-id\":[\"123-abc-123\"],\"x-rid\":[\"123-abc\"],\"warning\":[\"299 - \\u0022Test API\\u0022\"],\"x-envoy-upstream-service-time\":[\"27\"],\"Strict-Transport-Security\":[\"max-age=86400\"],\"X-Content-Type-Options\":[\"nosniff\"],\"X-Frame-Options\":[\"SAMEORIGIN\"],\"X-XSS-Protection\":[\"1; mode=block\"]}','{\n \"orders\" : [ {\n \"wharehouse\" : \"123\",\n \"orderPlacedDateTime\" : \"2021-11-26T10:47:23+01:00\",\n \"orderItems\" : [ {\n \"orderItemId\" : \"123\",\n \"ean\" : \"123\",\n \"quantity\" : 1,\n \"quantityShipped\" : 0,\n \"quantityCancelled\" : 0\n } ]\n }, {\n \"wharehouse\" : \"123\",\n \"orderPlacedDateTime\" : \"2021-11-26T07:47:14+01:00\",\n \"orderItems\" : [ {\n \"orderItemId\" : \"1234\",\n \"ean\" : \"1234\",\n \"quantity\" : 1,\n \"quantityShipped\" : 0,\n \"quantityCancelled\" : 0\n } ]\n }, {\n \"wharehouse\" : \"345\",\n \"orderPlacedDateTime\" : \"2021-11-25T22:22:29+01:00\",\n \"orderItems\" : [ {\n \"orderItemId\" : \"345\",\n \"ean\" : \"123\",\n \"quantity\" : 1,\n \"quantityShipped\" : 0,\n \"quantityCancelled\" : 0\n }, {\n \"orderItemId\" : \"345\",\n \"ean\" : \"345\",\n \"quantity\" : 1,\n \"quantityShipped\" : 0,\n \"quantityCancelled\" : 0\n } ]\n } ]\n}',2021-11-26T12:19:09+00:00,88",
"input": {
"type": "log"
}
}
}]
I have created that document it by running filebeat with output:console and pasting one line in the middle of this code:
[{"_index":"filebeat-7.13.2-2021.11.26-000253","_id":"id","_source":
<FILEBEAT OUTPUT>
}]
When I use it on the pipeline as a test document, the result is OK, the pipeline identifies the fields and creates them with the corresponding fieldnames.
About this question. My logfile is created by an application that uses several lines per log, so I have to join those lines in one big line and then ship it to ELK. That is working OK. I can see the documents in Kibana where the "message" field contains all the information from those log lines.
POST your-fiilebeat-index/_doc/?pipeline=my-custom-pipeline
{
"message: : "your sample message here"
}
This didn't work. I tried with:
"message": "3,https://mysite.com/folder/qs?parameter1=ABC&page=1,,GET,null,'{\"Host\":[\"www.mysite.com\"],\"Authorization\":[\"Bearer abc-fgh-IJ\"],\"Accept\":[\"application\\/app.version.v5+json\"],\"Content-Type\":[\"application\\/app.version.v5+json\"],\"User-Agent\":[\"Agent\\/1.6.0\"]}',,200,'{\"Server\":[\"nginx\"],\"Date\":[\"Fri, 26 Nov 2021 12:19:09 GMT\"],\"Content-Type\":[\"application\\/app.version.v5+json;charset=UTF-8\"],\"Transfer-Encoding\":[\"chunked\"],\"Connection\":[\"keep-alive\"],\"Vary\":[\"Origin\",\"Access-Control-Request-Method\",\"Access-Control-Request-Headers\",\"Origin,Access-Control-Request-Method,Access-Control-Request-Headers\"],\"X-RateLimit-Limit\":[\"25\"],\"X-RateLimit-Remaining\":[\"24\"],\"X-RateLimit-Reset\":[\"51\"],\"x-request-id\":[\"123-abc-123\"],\"x-rid\":[\"123-abc\"],\"warning\":[\"299 - \\u0022Test API\\u0022\"],\"x-envoy-upstream-service-time\":[\"27\"],\"Strict-Transport-Security\":[\"max-age=86400\"],\"X-Content-Type-Options\":[\"nosniff\"],\"X-Frame-Options\":[\"SAMEORIGIN\"],\"X-XSS-Protection\":[\"1; mode=block\"]}','{\n \"orders\" : [ {\n \"wharehouse\" : \"123\",\n \"orderPlacedDateTime\" : \"2021-11-26T10:47:23+01:00\",\n \"orderItems\" : [ {\n \"orderItemId\" : \"123\",\n \"ean\" : \"123\",\n \"quantity\" : 1,\n \"quantityShipped\" : 0,\n \"quantityCancelled\" : 0\n } ]\n }, {\n \"wharehouse\" : \"123\",\n \"orderPlacedDateTime\" : \"2021-11-26T07:47:14+01:00\",\n \"orderItems\" : [ {\n \"orderItemId\" : \"1234\",\n \"ean\" : \"1234\",\n \"quantity\" : 1,\n \"quantityShipped\" : 0,\n \"quantityCancelled\" : 0\n } ]\n }, {\n \"wharehouse\" : \"345\",\n \"orderPlacedDateTime\" : \"2021-11-25T22:22:29+01:00\",\n \"orderItems\" : [ {\n \"orderItemId\" : \"345\",\n \"ean\" : \"123\",\n \"quantity\" : 1,\n \"quantityShipped\" : 0,\n \"quantityCancelled\" : 0\n }, {\n \"orderItemId\" : \"345\",\n \"ean\" : \"345\",\n \"quantity\" : 1,\n \"quantityShipped\" : 0,\n \"quantityCancelled\" : 0\n } ]\n } ]\n}',2021-11-26T12:19:09+00:00,88",
Thanks.
EDIT:
This is the error I get when I try it
{
"error" : {
"root_cause" : [
{
"type" : "parse_exception",
"reason" : "Failed to parse content to map"
}
],
"type" : "parse_exception",
"reason" : "Failed to parse content to map",
"caused_by" : {
"type" : "json_parse_exception",
"reason" : "Unexpected character ('}' (code 125)): was expecting double-quote to start field name\n at [Source: (byte[])\"{\r\n \"message\": \"3,https://mysite.com/folder/qs?parameter1=ABC&page=1,,GET,null,'{\\\"Host\\\":[\\\"www.mysite.com\\\"],\\\"Authorization\\\":[\\\"Bearer abc-fgh-IJ\\\"],\\\"Accept\\\":[\\\"application\\\\/app.version.v5+json\\\"],\\\"Content-Type\\\":[\\\"application\\\\/app.version.v5+json\\\"],\\\"User-Agent\\\":[\\\"Agent\\\\/1.6.0\\\"]}',,200,'{\\\"Server\\\":[\\\"nginx\\\"],\\\"Date\\\":[\\\"Fri, 26 Nov 2021 12:19:09 GMT\\\"],\\\"Content-Type\\\":[\\\"application\\\\/app.version.v5+json;charset=UTF-8\\\"],\\\"Transfer-Encoding\\\":[\\\"chunked\\\"],\\\"Connection\\\":[\\\"k\"[truncated 1673 bytes]; line: 3, column: 2]"
}
},
"status" : 400
}
It's strange that it works when I test it manually but it doesn't when I do it with the API