Is it possible to mix json and plain text?

Mikael_Elkiaer · October 24, 2019, 7:24pm

I use filebeat to grab my Docker logs. Most of these are plain text. However, for self-created services I like to use Serilog for structured logging and it therefore formats the logs in elasticsearch format.

Is it possible to somehow enable json decoding partially, and let non-json logs go through as though json decoding wasn't enabled? Possibly by configuring multiple container inputs and filtering appropriately?

I already tried enabling json decoding, but then all non-json logs will result in an elasticsearch error, which ironically also fails as the log message is a cropped json body.

pmercado · October 25, 2019, 12:26pm

Hi @Mikael_Elkiaer,

would adding some conditions as depicted here:
https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html

for the json processor help?
you could conditionally apply the json decoding based on the fetched fields.

Mikael_Elkiaer · October 25, 2019, 2:30pm

That's what I was hoping you could tell me.
How would I add such a processor so that it would send the message as is if it is plain text, or decode the message if it is json?

Topic		Replies	Views
Ingest mixed container logs with text and JSON [ECK][filebeat] Beats filebeat	3	1695	December 16, 2021
Filebeat 7.2 shipping to elastic cloud .yml - Error Decoding Json logs Beats filebeat	5	637	August 13, 2019
Need help with parsing json fields Logs	4	3756	April 15, 2019
Filebeat-oss 7.5.2 not parsing string as json Beats filebeat	3	1429	February 22, 2020
Mixed document types: json and plain text Beats filebeat	2	1186	September 5, 2018

Is it possible to mix json and plain text?

Related topics