Filebeat parsing log containing structured JSON

bkleynbok · October 3, 2019, 8:15pm

Running ELK Stack 7.3.2 on Linux

I am trying to parse JSON via FIilebeat then output to Elasticsearch and show individual objects of the structured JSON in Kibana.

Here is test.json
[
{
"employee": {
"firstName": "Lokesh",
"lastName": "Gupta",
"website": "howtodoinjava.com"
}
},
{
"employee": {
"firstName": "Brian",
"lastName": "Schultz",
"website": "example.com"
}
}
]

Here is my filebeat.yml
filebeat.inputs:

type: log

enabled: true
paths:
- /opt/filebeat-7.3.2-linux-x86_64/logs/test.json
multiline.pattern: '^{'
multiline.negate: true
multiline.match: after

processors:
- decode_json_fields:
  fields: ["employee"]
  max_depth: 3

output.elasticsearch:
hosts: ["http://myhost:9200"]

I am not able to parse structured JSON

Michael_Madden · October 4, 2019, 1:23am

Hello, do you get an errors when you try to decode your test JSON data? I believe you're on the right track. I was going to suggest using decode_json_fields, but I see it's already in your configuration.

bkleynbok · October 4, 2019, 12:49pm

Nothing gets parsed. I tried a one line JSON in the test.json file.

{ "firstName": "Lokesh","lastName": "Gupta" }

No Elastic search index gets created.

system · November 1, 2019, 12:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.