Filebeat is not able to parse json from files where \n separated json lines (events) are written. It sometimes misses the records and sometimes gives error when traffic is high

Aman_Sehgal · November 17, 2017, 7:07am

Hi Ruffin,

If I transfer the same file again, it is processed successfully without any error.

Filebeat picks already rotated files.

filebeat config :

In filebeat.yml,

filebeat.prospectors:

- input_type: log
paths:
/root/cdrs/*-*.log
json.keys_under_root: true
json.add_error_key: true

ignore_older: 24h
close_inactive: 12h
scan_frequency: 30s
clean_inactive: 48h
clean_removed: true
close_removed: true
close_eof: true

output.logstash:

hosts: ["VALID IP:5043"]
fields_under_root: false

////////////////////////////////////////////////////////////////////////
Logstash Config:

input {
beats {
port => 5043
client_inactivity_timeout => 86400
}
}

filter
{
grok {
match => { "g2uEvent" => "%{TIMESTAMP_ISO8601:g2uEventTime}"}
}

date {
match => ["g2uEventTime", "ISO8601"]
target => "@timestamp"
}

}

output {

amazon_es {
hosts => ["VALID ELASTIC SEARCH END POINT"]
index => "d2c-%{+YYYY-MM-dd}"
}

stdout { codec => rubydebug }
}

Topic		Replies	Views
Filebeat is not able to parse json from files where \n separated json lines (events) are written Beats filebeat	1	1020	August 27, 2019
Problem parsing Json from Beats Logstash	2	2164	August 28, 2017
Filebeat unable to parse JSON log(contains array) output to logstash Beats filebeat	3	909	November 18, 2020
Custom beat - re-use Filebeat log readers? Beats beats-development	4	1328	July 5, 2017
Problem with JSON logs Beats filebeat	3	561	March 9, 2019