How to sync custom template with Incoming data from Filebeat?

sukesh_nagaraja · May 7, 2018, 4:02pm

Hi , I am trying to index json data to elasticsearch from Filebeat.

the data shipped by filebeat is as follows :

{"first name":"abc","last name":"efg","age":26,"city":"newyork","country":"USA","zipcode":"10001"}
{"first name":"xyz","last name":"lmn","age":28,"city":"herndon","country":"USA","zipcode":"20170"}
{"first name":"abc","last name":"pqr","age":27,"city":"chantilly","country":"USA","zipcode":"20152"}

filebeat.yml contains below config :

filebeat.prospectors:

type: log
enabled: true
paths:
- /home/sukesh/Downloads/json/*.json
  exclude_files: ['.csv$','.xml$','.txt$','.gz$']

#Elasticsearch template setting
setup.template.name: "Tname"
setup.template.pattern: "Tname-*"
#setup.template.fields: "/home/sukesh/Desktop/fields.yml"
#setup.template.overwrite: true
setup.template.settings:
index.number_of_shards: 2
#index.codec: best_compression
#_source.enabled: true

#General
tags: ["pattern1_json"]

#Kibana
setup.kibana:
host: "localhost:5601"
username: "elastic"
password: "sukesh"

#Outputs
output.elasticsearch:
hosts: ["localhost:9301"]
index: "Iname"
username: "elastic"
password: "sukesh"

I created template in elasticsearch as follows :

PUT _template/Tname
{
"index_patterns" : ["Iname*"],
"settings" : {
"number_of_shards" : 1
},
"mappings":{
"Idoc_type":{
"properties":{
"first name":{"type":"text"},
"last name":{"type":"text"},
"age":{"type":"integer"},
"city":{"type":"text"},
"country":{"type":"text"},
"zipcode":{"type":"text"}
}
}
}
}

I did a config test and output check and its fine.

i checked data in kibana but entire json is poping under message field:

"message" :{"first name":"abc","last name":"efg","age":26,"city":"newyork","country":"USA","zipcode":"1001"}

This means my template is not working. i need all the fields of json in kibana not under message

Pls guide me how can i sync my template with incoming data. do i need to use fields.yml?

Filebeat -> elasticsearch -> kibana

pierhugues · May 8, 2018, 8:12pm

Hello @sukesh_nagaraja,

You can control the behavior of the JSON parser in Filebeat at the prospector level.

The option you want is json.keys_under_root: true

keys_under_root
By default, the decoded JSON is placed under a "json" key in the output document. If you enable this setting, the keys are copied top level in the output document. The default is false.

sukesh_nagaraja · May 8, 2018, 9:24pm

Thanks for the response. I tried below it works.

      filebeat.prospectors:
      - type: log
      enabled: true
      paths:
      - /home/sukesh/Downloads/json/*.json  

     json.keys_under_root: true
     json.add_error_key: true

     setup.kibana:
     host: "localhost:5601"
     username: "elastic"
     password: "sukesh"

     output.elasticsearch:
     hosts: ["localhost:9301"]
     index: "freddie_test"
     username: "elastic"
     password: "sukesh"

the above config works for very simple json with no nesting data and multiline

to handle multiline : i have below config but all content sits under one field called "log".

sample data:
{"nesting data":[{"category":"Audi","region":"East","monthlySales":[{"month":20130101,"sales":38},{"month":20130201,"sales":35},{"month":20130301,"sales":41},{"month":20130401,"sales":55},{"month":20130501,"sales":58},{"month":20130601,"sales":66},{"month":20130701,"sales":74},{"month":20130801,"sales":78},{"month":20130901,"sales":38},{"month":20131001,"sales":30},{"month":20131101,"sales":26},{"month":20131201,"sales":29}]},{"category":"Technology","region":"West","monthlySales":[{"month":20130101,"sales":54},{"month":20130201,"sales":66},{"month":20130301,"sales":77},{"month":20130401,"sales":70},{"month":20130501,"sales":60},{"month":20130601,"sales":63},{"month":20130701,"sales":55},{"month":20130801,"sales":47},{"month":20130901,"sales":55},{"month":20131001,"sales":30},{"month":20131101,"sales":22},{"month":20131201,"sales":77}]}]}

config details:

      filebeat.prospectors:
     - type: log
     enabled: true
     paths:
         - /home/sukesh/Downloads/json/*.json

     json.message_key: log
     json.keys_under_root: true
     json.add_error_key: true

   multiline.pattern: '^{'
   multiline.negate: true
   multiline.match:  after
   processors:
   - decode_json_fields:
   fields: ['message']
   target: json  

   setup.kibana:
   host: "localhost:5601"
   username: "elastic"
   password: "sukesh"

   output.elasticsearch:
   hosts: ["localhost:9301"]
   index: "freddie_test"
   username: "elastic"
   password: "sukesh"

How can i get each key values individually rather than wrapped up under one field?

system · June 5, 2018, 9:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Send custom logs to elasticsearch with predefined list of fields Beats filebeat	3	186	September 5, 2023
Custom name with Filebeat Beats filebeat	5	206	March 27, 2024
Filebeat output to custom index name not working when a template is used Beats filebeat	2	140	April 29, 2024
Filebeat loading index template JSON not working Beats filebeat	1	447	May 15, 2020
Custom filebeat template for JSON log lines Beats filebeat	7	15839	February 20, 2018

How to sync custom template with Incoming data from Filebeat?

Related Topics