How to get multiline JSON parsing configured?

houmie · November 14, 2020, 5:19pm

Hello,

When I try to activate multiline JSON parsing directly I get this error message::

Exiting: Failed to start crawler: starting input failed: Error while initializing input: When using the JSON decoder and multiline together, you need to specify a message_key value accessing 'filebeat.inputs.0' (source:'/etc/filebeat/filebeat.yml')

I don't quite understand json.message_key.
This is my JSON:

{
"email": "hh@gmail.com",
"event": "resources.connect_v5",
"level": "info",
"req_vpn": "DE-FSN-X",
"request_id": "51cfc42e-62f1-45c5-b075-e2bae5b42a3b",
"timestamp": "2020-11-14T16:18:36.830208Z",
"vpn_code": "DE-FSN-X"
}
{
...
}

filebeat.yml:

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /home/admin/file.json
  json.keys_under_root: true
  json.add_error_key: true
  multiline.type: pattern
  multiline.pattern: '^{'
  multiline.negate: true
  multiline.match: after

Thank you,
Houman

wangqinghuan · November 14, 2020, 5:39pm

Follow this:

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /path/to/file.json
  multiline.pattern: '^{'
  multiline.negate: true 
  multiline.match: after
  processors:
  - decode_json_fields:
      fields: ["message"]
      target: "json"

system · December 12, 2020, 7:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Trouble parsing multi-line json logs Beats	3	4351	October 9, 2018
Filebeat multiline help Beats filebeat	4	1630	July 5, 2017
Multiline logs are not working using filebeat Beats filebeat	1	507	November 19, 2021
Filebeat configuration : multiline.* (working) vs parsers (not working) Beats docker , filebeat	3	344	December 31, 2023
Filebeat Error decoding JSON: json: cannot unmarshal string into Go value of type map Beats filebeat	6	7188	March 27, 2019

How to get multiline JSON parsing configured?

Related Topics