Filebeat - Parse json output

arianmotamedi · April 23, 2019, 4:46pm

I realize this has been asked numerous times but I'm having a hard time getting Filebeat 6.2.4 to send json logs to Elasticsearch (without Logstash) in a K8s environment. For example for a given json log:

{"@timestamp":"2019-04-23T16:22:33.979906989Z","application":"my-app","correlation_id":"55189165-dafa-4b22-a720-adfa9eafc6e6","data_version":2,"description":"","envoy_data":{"downstream_local":{"address":"127.0.0.1","port":12345,"protocol":"TCP"},"downstream_remote":{"address":"127.0.0.1","port":56004,"protocol":"TCP"},"listener":"ingress","request_received_time":"2019-04-04T16:22:33.979Z","request_start_time":"2019-04-04T16:22:33.979Z","response_duration_ms":0,"response_received_time":"2019-04-04T16:22:33.979Z","response_start_time":"2019-04-04T16:22:33.979Z","upstream_cluster":"my-service","upstream_remote":{"address":"127.0.0.1","port":8080,"protocol":"TCP"}},"level":"info","msg":"","roletype":"my-role-type","service":"foobar","type":"log"}

The entry in Kibana looks like this:

The json output is being logged under the log field. I need the fields to be parsed and placed in the root document, and my understanding was json.keys_under_root: true would do the trick, but doesn't seem to. Below is my full config:

apiVersion: v1
kind: ConfigMap
metadata:
  name: filebeat-config
  namespace: kube-system
  labels:
    k8s-app: filebeat
    kubernetes.io/cluster-service: "true"
data:
  filebeat.yml: |-
    filebeat.config:
      prospectors:
        path: ${path.config}/prospectors.d/*.yml
        reload.enabled: false
      modules:
        path: ${path.config}/modules.d/*.yml
        reload.enabled: false
    logging.level: debug
    output.elasticsearch:
      hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:443}']
      template.name: filebeat
      template.path: filebeat.template.json

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: filebeat-prospectors
  namespace: kube-system
  labels:
    k8s-app: filebeat
    kubernetes.io/cluster-service: "true"
data:
  kubernetes.yml: |-
    - type: log
      paths:
        - /var/lib/docker/containers/*/*.log
      json.add_error_key: true
      json.keys_under_root: true
      json.message_key: log
      processors:
        - add_kubernetes_metadata:
            in_cluster: true
            namespace: ${POD_NAMESPACE}

Any help in the right direction would be appreciated.

steffens · April 23, 2019, 9:53pm

I see you have configured your docker containers as path, but type log. Docker itself embeds logs in JSON, which gives you JSON in JSON.

Have you tried the docker input type instead of 'log' ?

arianmotamedi · April 29, 2019, 5:52pm

Actually turns out my log file had multi-lines in it. adding

multiline.pattern: '^{'
multiline.negate: true
multiline.match: after

as well as

- decode_json_fields:
    fields: ["log"]
    process_array: false
    max_depth: 5
    target: ""
    overwrite_keys: true

to the list of processors fixed the issue.

system · May 27, 2019, 5:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat -> ElasticSearch for logrus running on k8s Beats filebeat	28	1657	September 26, 2022
Parse json data from log file into Kibana via Filebeat and Logstash Beats filebeat	10	9548	May 19, 2020
Parse JSON data with filebeat Beats filebeat	8	59753	April 24, 2017
Json format and types Beats filebeat	3	3055	August 9, 2018
Filebeat shipped json file : how to get needed fields? Logstash	2	835	July 6, 2017

Filebeat - Parse json output

Related topics