Filebeat send json data to Elastiksearch isuue

Partha_Biswas · August 13, 2020, 10:45am

I am using filebeat to send log data in ELK kibana.

Log example:- error_log.log

{"type":"ERROR","errorType":"ERROR","message":"Error in add","others":{"error": "something went wrong","source":"/public/new/user"}}
{"type":"ERROR","errorType":"ERROR","message":"Error in update","others":{"error": "something went wrong","source":"/public/users/edit"}}

filebeat.yml:-

   filebeat.inputs:
    - type: log
         enable: true
         paths:
             - error_log.log
         json.keys_under_root: true

    processors:
        - decode_json_fields:
              fields: ["others"]

    filebeat.config.modules:
        path: ${path.config}/modules.d/*.yml

    output.elasticsearch:
        hosts: ["elastic.xyz.xyz:9200"]

kiban logging not working but if I remove json.keys_under_root: true & processors then it's work but only as text format not as json

weltenwort · August 13, 2020, 11:01am

Hi @Partha_Biswas,

the decode_json_fields processor decodes JSON values from string fields. Looking at the example log lines you gave, the value assigned to the others key is not a string, but already an object. That means that the initial JSON parsing via json.keys_under_root should have parsed it already and the that the processor likely fails.

Have you tried removing the processor but leaving the json.keys_under_root in?

Unrelated to the indexing, but important for querying later, in order to properly search the resulting documents you will likely want to declare the others field as a nested-type field in your mapping.

Partha_Biswas · August 14, 2020, 8:17am

Yes, I tried with json.keys_under_root and removed processors
But same kibana logging not work

Is there any problem with my error_log.log because it's json formats but it's file extention not .json and it's all log is not warped with { }

weltenwort · August 17, 2020, 9:36am

I don't expect the file name extension to be of any significance. Could you check if there is anything in the Filebeat logs or Elasticsearch logs that correlates with the parsing failures?

Partha_Biswas · August 21, 2020, 6:38am

Thanks,
I got my error and now it's working

weltenwort · August 21, 2020, 9:32am

That's good to hear. Is it something you can share with the community so we can all learn from it?

system · September 18, 2020, 9:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.