How to send JSON directly to elasticsearch w/o any parsing in logstash

raychen11 · March 9, 2018, 7:34pm

hey folks,

My log files are already in JSON format and I have full control of how they look. When I use logstash, looks like I have to specify the input as JSON either in File plugin (use codec) or Filter (use json). I want to make logstash consume less CPU resources, say without any parsing, just read and send.

Here are my configurations
logstash 2.1

input file
{"@timestamp":"2018-03-08T22:15:44,267", "className":"myClassName","logLevel":"WARN","threadName":"main","requestId":"","message":"some messages"}

input {
   file {
      path => "my.json*"
      exclude => "*.gz"
      sincedb_path => "file.sincedb"
      type => "some_tpye"
   }
}
filter {
   #json {
   #  source => "message"
   #}
   mutate {
      remove_field => ["@version", "path"]
   }
}
output {
   stdout{ codec => rubydebug { metadata => true }}
}

The output

{
    "message" => "{\"@timestamp\":\"2018-03-08T22:15:44,267\", \"className\":\"myClassName\",\"logLevel\":\"WARN\",\"threadName\":\"main\",\"requestId\":\"\",\"message\":\"some messages\"}",
    "type" => "some_tpye",
    "@metadata" => {
      "path" => "file_path"
    }
}

My question is

how to make logstash read json directly and send to elasticsearch w/o parsing, current file input will set each line as message, which is not needed.

I know JSON filter works, but I want to use less host resources. As far as I know, JSON filter will still validate the input, which may hurt when we have large input.

Thanks!

yaauie · March 10, 2018, 1:19am

Unfortunately this isn't possible.

The intermediate representation of an event in a Logstash pipeline is called Event, which is a fully-contextualised object with fields and metadata.

The logstash-output-elasticsearch plugin knows how to inject this Event into a bulk request against the Elasticsearch API, and uses individual attributes of the Event to formulate each entry in the bulk insert request (such as which index to insert to, the document's id, etc.); it cannot use individual attributes unless it first parses the event.

That said, you may be interested in using a Filebeat, and sending the logs directly to Elasticsearch (docs, compatibility matrix); Beats are extremely light-weight log- and metric-shippers that are useful for capturing logs and metrics on edge machines.

raychen11 · March 12, 2018, 5:20pm

Hey Ry, sounds like filebeat suits my case better. Thanks for the this!

system · April 9, 2018, 5:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Send JSON formatted logs directly to elasticsearch Elasticsearch	5	9019	April 4, 2017
How to send JSON directly to elasticsearch w/o any parsing in logstash Logstash	1	302	November 2, 2020
Using logstash filters to convert stdin message to be the json written to elasticsearch Logstash	3	2000	July 6, 2017
Logstash import file from url Logstash	9	1250	September 10, 2021
I want to send this log in json without logstash Elasticsearch	6	557	June 17, 2022

How to send JSON directly to elasticsearch w/o any parsing in logstash

Related topics