How to get multiline JSON parsing configured?

houmie · November 14, 2020, 5:19pm

Hello,

When I try to activate multiline JSON parsing directly I get this error message::

Exiting: Failed to start crawler: starting input failed: Error while initializing input: When using the JSON decoder and multiline together, you need to specify a message_key value accessing 'filebeat.inputs.0' (source:'/etc/filebeat/filebeat.yml')

I don't quite understand json.message_key.
This is my JSON:

{
"email": "hh@gmail.com",
"event": "resources.connect_v5",
"level": "info",
"req_vpn": "DE-FSN-X",
"request_id": "51cfc42e-62f1-45c5-b075-e2bae5b42a3b",
"timestamp": "2020-11-14T16:18:36.830208Z",
"vpn_code": "DE-FSN-X"
}
{
...
}

filebeat.yml:

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /home/admin/file.json
  json.keys_under_root: true
  json.add_error_key: true
  multiline.type: pattern
  multiline.pattern: '^{'
  multiline.negate: true
  multiline.match: after

Thank you,
Houman

wangqinghuan · November 14, 2020, 5:39pm

Follow this:

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /path/to/file.json
  multiline.pattern: '^{'
  multiline.negate: true 
  multiline.match: after
  processors:
  - decode_json_fields:
      fields: ["message"]
      target: "json"

system · December 12, 2020, 7:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.