How can I expose new fields sourced from the log record?

andrewkroh · October 12, 2016, 10:53pm

It is possible to parse the JSON messages in Filebeat 5.x, but not in Filebeat 1.x. A json option can be specified in the configuration file.

If you are limited to using Filebeat 1.x, then you would need to Logstash to parse the JSON data from the message field. You would configure Filebeat -> Logstash -> Elasticsearch.

Filebeat 5.x configuration:

filebeat:
  prospectors:
    - paths:
        - /var/log/app.log
      json.message_key: msg
      json.keys_under_root: true
      json.add_error_key: true

output:
  console:
    pretty: true

Topic		Replies	Views
How can I expose new fields embodied in top-level fields? Kibana	2	751	July 6, 2017
JSON log, only root level fields being indexed Beats filebeat	10	1609	July 27, 2018
'Index' json 'message' field without Logstash but within Filebeat? Filebeat > ES > Kibana Beats filebeat	2	291	April 1, 2022
Can I put the logLine in a different field as message on log basis? Beats filebeat	1	320	October 7, 2019
Filebeat JSON Index Fields Beats filebeat	1	983	July 30, 2016

How can I expose new fields sourced from the log record?

Related topics