Json and normal logs as input

Ossenfeld · November 17, 2022, 2:17pm

Hi,

what is the best practice when using filestream as type and having 2 different input paths of logs where 1 is a simple *.log and the other one is a *.json?

Should I still just use e.g. the following although like 50% of the logs are not json?:

  parsers:
  - ndjson:
      keys_under_root: true
      expand_keys: true

Another solution could be:

---
- type: filestream
  paths:
    - /var/log/elasticsearch/*.json

  parsers:
  - ndjson:
      keys_under_root: true
      expand_keys: true

---
- type: filestream
  paths:
    - /var/log/elasticsearch/gc*

  - multiline:
      type: pattern
      pattern: '...'
      negate: true
      match: after

system · December 15, 2022, 4:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
JSON logs in filestream input not added correctly on Elasticsearch Beats filebeat	1	810	April 26, 2022
Problem with JSON logs Beats filebeat	3	558	March 9, 2019
In filebeat processing json log files that does not need processing Elasticsearch	11	533	October 28, 2023
Filebeat input types log and filestream metadata for file path/name differ Beats filebeat	1	1235	September 14, 2021
Json data logging has strange behaviour Beats filebeat	1	243	October 22, 2019

Json and normal logs as input

Related Topics