Filebeat send json data to Elastiksearch isuue

Partha_Biswas · August 13, 2020, 10:45am

I am using filebeat to send log data in ELK kibana.

Log example:- error_log.log

{"type":"ERROR","errorType":"ERROR","message":"Error in add","others":{"error": "something went wrong","source":"/public/new/user"}}
{"type":"ERROR","errorType":"ERROR","message":"Error in update","others":{"error": "something went wrong","source":"/public/users/edit"}}

filebeat.yml:-

   filebeat.inputs:
    - type: log
         enable: true
         paths:
             - error_log.log
         json.keys_under_root: true

    processors:
        - decode_json_fields:
              fields: ["others"]

    filebeat.config.modules:
        path: ${path.config}/modules.d/*.yml

    output.elasticsearch:
        hosts: ["elastic.xyz.xyz:9200"]

kiban logging not working but if I remove json.keys_under_root: true & processors then it's work but only as text format not as json

weltenwort · August 13, 2020, 11:01am

Hi @Partha_Biswas,

the decode_json_fields processor decodes JSON values from string fields. Looking at the example log lines you gave, the value assigned to the others key is not a string, but already an object. That means that the initial JSON parsing via json.keys_under_root should have parsed it already and the that the processor likely fails.

Have you tried removing the processor but leaving the json.keys_under_root in?

Unrelated to the indexing, but important for querying later, in order to properly search the resulting documents you will likely want to declare the others field as a nested-type field in your mapping.

Partha_Biswas · August 14, 2020, 8:17am

Yes, I tried with json.keys_under_root and removed processors
But same kibana logging not work

Is there any problem with my error_log.log because it's json formats but it's file extention not .json and it's all log is not warped with { }

weltenwort · August 17, 2020, 9:36am

I don't expect the file name extension to be of any significance. Could you check if there is anything in the Filebeat logs or Elasticsearch logs that correlates with the parsing failures?

Partha_Biswas · August 21, 2020, 6:38am

Thanks,
I got my error and now it's working

weltenwort · August 21, 2020, 9:32am

That's good to hear. Is it something you can share with the community so we can all learn from it?

system · September 18, 2020, 9:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parse json data from log file into Kibana via Filebeat and Logstash Beats filebeat	10	9540	May 19, 2020
Filebeat - Parse json output Beats filebeat	3	604	May 27, 2019
Parse JSON data with filebeat Beats filebeat	8	59689	April 24, 2017
Filebeat 5.0.0-alpha3 not parsing the JSON messages, it shows up as a string Beats filebeat	4	1385	July 13, 2016
'Index' json 'message' field without Logstash but within Filebeat? Filebeat > ES > Kibana Beats filebeat	2	289	April 1, 2022

Filebeat send json data to Elastiksearch isuue

Related Topics