Filebeat with json logs, using template

Frank_Wang · September 19, 2019, 2:26pm

Assume I have Logs like:

{"CFSItemName":"mds list user fs","CFSCluster":"clu01","Item":[{"TotalBytes":9223372036854775808,"FreeBytes":9223372036854763507,"Fsname":"fs-z0gzns5267"},{"TotalBytes":1233372036854775808,"FreeBytes":2132036854763507,"Fsname":"fs-qweasqw17"}]}

And I have fields.yml like

---
key: ecs
title: ECS
description: ECS Fields.
fields:
- name: "@timestamp"
  level: core
  required: true
  type: date
  example: '2016-05-23T08:05:34.853Z'
- name: log.message
  type: text
  level: core
  ignore_above: 0
  required: true
  fields:
  - name: CFSItemName
    type: text
    required: true
  - name: CFSCluster
    type: text
    required: true
  - name: Item
    type: object
    required: true
    fields:
    - name: TotalBytes
      type: long
    - name: FreeBytes
      type: long
    - name: Fsname
      type: text

Question is

Is my fields.yml right?
How should I define my template if logs has different format?

another format is like

{"CFSItemName":"block manager","CFSCluster":"clu01","Item":[{"BlockTotal": 175125808,"FreeBlock":1763507,"BlockNode":"bk-23aqds5267"},{"BlockTotal": 5635125808,"FreeBlock":2354507,"BlockNode":"bk-ubwed1368"}]}

system · October 17, 2019, 2:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.