Json and normal logs as input

Ossenfeld · November 17, 2022, 2:17pm

Hi,

what is the best practice when using filestream as type and having 2 different input paths of logs where 1 is a simple *.log and the other one is a *.json?

Should I still just use e.g. the following although like 50% of the logs are not json?:

  parsers:
  - ndjson:
      keys_under_root: true
      expand_keys: true

Another solution could be:

---
- type: filestream
  paths:
    - /var/log/elasticsearch/*.json

  parsers:
  - ndjson:
      keys_under_root: true
      expand_keys: true

---
- type: filestream
  paths:
    - /var/log/elasticsearch/gc*

  - multiline:
      type: pattern
      pattern: '...'
      negate: true
      match: after

system · December 15, 2022, 4:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
JSON logs in filestream input not added correctly on Elasticsearch Beats filebeat	1	810	April 26, 2022
Problem with JSON logs Beats filebeat	3	561	March 9, 2019
In filebeat processing json log files that does not need processing Elasticsearch	11	572	October 28, 2023
Have logstash automatically parse any .json files Logstash	7	480	August 14, 2020
Filebeat input types log and filestream metadata for file path/name differ Beats filebeat	1	1237	September 14, 2021

Json and normal logs as input

Related topics