Filebeat hints-based autodiscover for JSON encoded logs


I'm trying to set up autodiscovery in Kubernetes for Filebeat. There is a DaemonSet running Filebeat on each node, logging into ElasticSearch.
Hints based autodiscovery works well for HAProxy and nginx Containers/Pods, but I'm running into problems with JSON-encoded logs. Several of my containers run SpringBoot+LogBack.

The problem I have is that I can't figure out how I can configure the parsing.

This is the autodiscover part from filebeat.yml:

        - type: kubernetes
          hints.enabled: true
          json.message_key: log
        - config:
            - type: docker
                - "${}"
              json.keys_under_root: true
              json.add_error_key: true
              exclude_lines: ["^\\s+[\\-`('.|_]"]  # drop asciiart lines

I can see the following in the message in Kibana.

{ "@timestamp": "2019-04-05T10:18:58.057+00:00","@version": 1,"message": "Longer than usual backend-request detected. ","logger_name": "com.example.package.MyClass","thread_name": "http-nio-", "level": "WARN","level_value": 30000}

But it's just a string and I would like to have it parsed and be able to filter based on the keys.

I tried to add annotations to the pods, but I wasn't sure what to put there.

When I tried the following, I got Grok error messages:

    co.elastic.logs/module: logstash
    co.elastic.logs/format: json

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.