Filebeat tags not applied, if JSON event already has a tags field?

uschtwill · October 6, 2017, 8:39am

I have spent quite some time trying to add some tags to Kibana logs yesterday - futilely.

The Kibana logs are in JSON and already contain a "tags" field. The way it looks, Filebeat (maybe beats in general?) chooses not to add tags to an event, if the event has a pre-existing "tags" field - regardless of wether the tags are added via the prospector or "generally".

Is this possible?

steffens · October 6, 2017, 10:51am

Can you share your config? Beats expects tags to be an array of strings.

uschtwill · October 6, 2017, 11:30am

Sure:

filebeat:
  # List of prospectors to fetch data.
  prospectors:
    [{"paths": ["/var/log/*.log", "/var/log/redacted/kibana.json"], "tags": ["filebeat", "filebeat-dev"], "ignore_older": "24h", "encoding": "utf-8", "field": {"type": "filebeatlog"}, "registry_file": "/var/lib/filebeat/registry", "input_type": "log"}]

steffens · October 8, 2017, 10:40am

You also have a sample log event? The tags field must be an array of strings. Checking the source code there might indeed be a problem with the JSON parser not representing the array with the assumed types.

uschtwill · October 12, 2017, 6:03pm

They're really just normal Kibana JSON logs, and tags also contains proper strings:

{"type":"log","@timestamp":"2017-08-22T09:11:11Z","tags":["status","plugin:kibana@5.4.0","info"],"pid":17341,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2017-08-22T09:11:11Z","tags":["status","plugin:elasticsearch@5.4.0","info"],"pid":17341,"state":"yellow","message":"Status changed from uninitialized to yellow - Waiting for Elasticsearch","prevState":"uninitialized","prevMsg":"uninitialized"}

steffens · October 13, 2017, 1:01pm

Thanks. I'd say this is a bug in the parsing/normalization code in filebeat. The post-processing should try to convert the tags value to it's proper type.

I filed this bug report. Feel free to add any context/config/logs/events that might help. Btw. it's tagged for Hacktoberfest if you want to give it a shot

uschtwill · October 13, 2017, 3:07pm

Thanks, for following up on this, you're welcome.

system · November 10, 2017, 3:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.