Filebeat tags not applied, if JSON event already has a tags field?

uschtwill · October 6, 2017, 8:39am

I have spent quite some time trying to add some tags to Kibana logs yesterday - futilely.

The Kibana logs are in JSON and already contain a "tags" field. The way it looks, Filebeat (maybe beats in general?) chooses not to add tags to an event, if the event has a pre-existing "tags" field - regardless of wether the tags are added via the prospector or "generally".

Is this possible?

steffens · October 6, 2017, 10:51am

Can you share your config? Beats expects tags to be an array of strings.

uschtwill · October 6, 2017, 11:30am

Sure:

filebeat:
  # List of prospectors to fetch data.
  prospectors:
    [{"paths": ["/var/log/*.log", "/var/log/redacted/kibana.json"], "tags": ["filebeat", "filebeat-dev"], "ignore_older": "24h", "encoding": "utf-8", "field": {"type": "filebeatlog"}, "registry_file": "/var/lib/filebeat/registry", "input_type": "log"}]

steffens · October 8, 2017, 10:40am

You also have a sample log event? The tags field must be an array of strings. Checking the source code there might indeed be a problem with the JSON parser not representing the array with the assumed types.

uschtwill · October 12, 2017, 6:03pm

They're really just normal Kibana JSON logs, and tags also contains proper strings:

{"type":"log","@timestamp":"2017-08-22T09:11:11Z","tags":["status","plugin:kibana@5.4.0","info"],"pid":17341,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-08-22T09:11:11Z","tags":["status","plugin:elasticsearch@5.4.0","info"],"pid":17341,"state":"yellow","message":"Status changed from uninitialized to yellow - Waiting for Elasticsearch","prevState":"uninitialized","prevMsg":"uninitialized"}

steffens · October 13, 2017, 1:01pm

Thanks. I'd say this is a bug in the parsing/normalization code in filebeat. The post-processing should try to convert the tags value to it's proper type.

I filed this bug report. Feel free to add any context/config/logs/events that might help. Btw. it's tagged for Hacktoberfest if you want to give it a shot

uschtwill · October 13, 2017, 3:07pm

Thanks, for following up on this, you're welcome.

system · November 10, 2017, 3:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiline is not getting added to the "tag" field Beats filebeat	4	673	August 30, 2018
Beats_input_raw_event Beats	7	2811	June 5, 2018
Can I override existing tags field using filebeat? Beats filebeat	2	517	April 28, 2017
Add tags to Filebeat module configuration? Beats filebeat	2	1047	February 2, 2022
Json format and types Beats filebeat	3	3055	August 9, 2018

Filebeat tags not applied, if JSON event already has a tags field?

Related topics