Hi there,
I'm very very new to ELK and I am facing an issue.
I try to send a json file containing several json object (one per line) from a Java application to logstash.
Here is the file I send over http post request to logstash
{"ISO8601 TIME":"2024-07-16T03:00:03.591148+02:00","name":"bob","age":20,"index_":"test-log"}
{"ISO8601 TIME":"2024-07-16T03:00:04.591148+02:00","name":"patrick","age":19,"index_":"test-log"}
{"ISO8601 TIME":"2024-07-16T03:00:05.591148+02:00","name":"carlo","age":40,"index_":"test-log"}
{"ISO8601 TIME":"2024-07-16T03:00:06.591148+02:00","name":"captain krabs","age":54,"index_":"test-log"}
{"ISO8601 TIME":"2024-07-16T03:00:07.591148+02:00","name":"garry","age":8,"index_":"test-log"}
{"ISO8601 TIME":"2024-07-16T03:00:08.591148+02:00","name":"sandy","age":22,"index_":"test-log"}
Here is the java code portion were I send the file :
HttpClient client = HttpClient.newBuilder()
.followRedirects(HttpClient.Redirect.ALWAYS)
.build();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create(PropertiesManager.getConfig().getProperty("endpoint")))
.timeout(Duration.ofMinutes(2))
.header("Content-Type","application/json")
.method("POST", BodyPublishers.ofFile(jsonFile.toPath()))
.build();
HttpResponse response = client.send(request, BodyHandlers.ofString());
Here is my logstash.conf file :
input {
http {
port => 5044
codec => json_lines
}
}
output {
elasticsearch {
hosts => "https://localhost:9200"
ssl_certificate_authorities => ["C:\Users\xxx\Elastic\logstash-8.14.1\config\certs\http_ca.crt"]
user => "xxx" # replaced
password => "xxx" # replaced
index => "%{[index_]}-%{+YYYY.MM.dd}"
}
}
My json file is correctly sent to logstash, but whenever the data is sent to elastic, I just have one document created, only the first json line of the file.
The most strange part is that the whole file is stored in the document, in the "event.original" field :
{
"@timestamp": [
"2024-07-20T14:34:12.714Z"
],
"@version": [
"1"
],
"@version.keyword": [
"1"
],
"age": [
20
],
"event.original": [
"{\"ISO8601 TIME\":\"2024-07-16T03:00:03.591148+02:00\",\"name\":\"bob\",\"age\":20,\"index_\":\"test-log\"}\r\n{\"ISO8601 TIME\":\"2024-07-16T03:00:04.591148+02:00\",\"name\":\"patrick\",\"age\":19,\"index_\":\"test-log\"}\r\n{\"ISO8601 TIME\":\"2024-07-16T03:00:05.591148+02:00\",\"name\":\"carlo\",\"age\":40,\"index_\":\"test-log\"}\r\n{\"ISO8601 TIME\":\"2024-07-16T03:00:06.591148+02:00\",\"name\":\"captain krabs\",\"age\":54,\"index_\":\"test-log\"}\r\n{\"ISO8601 TIME\":\"2024-07-16T03:00:07.591148+02:00\",\"name\":\"garry\",\"age\":8,\"index_\":\"test-log\"}\r\n{\"ISO8601 TIME\":\"2024-07-16T03:00:08.591148+02:00\",\"name\":\"sandy\",\"age\":22,\"index_\":\"test-log\"}\r\n"
],
"event.original.keyword": [
"{\"ISO8601 TIME\":\"2024-07-16T03:00:03.591148+02:00\",\"name\":\"bob\",\"age\":20,\"index_\":\"test-log\"}\r\n{\"ISO8601 TIME\":\"2024-07-16T03:00:04.591148+02:00\",\"name\":\"patrick\",\"age\":19,\"index_\":\"test-log\"}\r\n{\"ISO8601 TIME\":\"2024-07-16T03:00:05.591148+02:00\",\"name\":\"carlo\",\"age\":40,\"index_\":\"test-log\"}\r\n{\"ISO8601 TIME\":\"2024-07-16T03:00:06.591148+02:00\",\"name\":\"captain krabs\",\"age\":54,\"index_\":\"test-log\"}\r\n{\"ISO8601 TIME\":\"2024-07-16T03:00:07.591148+02:00\",\"name\":\"garry\",\"age\":8,\"index_\":\"test-log\"}\r\n{\"ISO8601 TIME\":\"2024-07-16T03:00:08.591148+02:00\",\"name\":\"sandy\",\"age\":22,\"index_\":\"test-log\"}\r\n"
],
"host.ip": [
"127.0.0.1"
],
"host.ip.keyword": [
"127.0.0.1"
],
"http.method": [
"POST"
],
"http.method.keyword": [
"POST"
],
"http.request.body.bytes": [
"589"
],
"http.request.body.bytes.keyword": [
"589"
],
"http.request.mime_type": [
"application/json"
],
"http.request.mime_type.keyword": [
"application/json"
],
"http.version": [
"HTTP/1.1"
],
"http.version.keyword": [
"HTTP/1.1"
],
"index_": [
"test-log"
],
"index_.keyword": [
"test-log"
],
"ISO8601 TIME": [
"2024-07-16T01:00:03.591Z"
],
"name": [
"bob"
],
"name.keyword": [
"bob"
],
"url.domain": [
"127.0.0.1"
],
"url.domain.keyword": [
"127.0.0.1"
],
"url.path": [
"/"
],
"url.path.keyword": [
"/"
],
"url.port": [
5044
],
"user_agent.original": [
"Java-http-client/17.0.11"
],
"user_agent.original.keyword": [
"Java-http-client/17.0.11"
],
"_id": "l9eQ0JABEpRCJdcZj2Hq",
"_index": "test-log-2024.07.20",
"_score": null
}
What am I doing wrong ?
I have tried a lot of different options in logstash conf file, but none of them solved my problem unfortunately.
Any help would be appreciated.
Thanks