Hi,
what is the best practice when using filestream as type and having 2 different input paths of logs where 1 is a simple *.log and the other one is a *.json?
Should I still just use e.g. the following although like 50% of the logs are not json?:
parsers:
- ndjson:
keys_under_root: true
expand_keys: true
Another solution could be:
---
- type: filestream
paths:
- /var/log/elasticsearch/*.json
parsers:
- ndjson:
keys_under_root: true
expand_keys: true
---
- type: filestream
paths:
- /var/log/elasticsearch/gc*
- multiline:
type: pattern
pattern: '...'
negate: true
match: after