Json and normal logs as input

Hi,

what is the best practice when using filestream as type and having 2 different input paths of logs where 1 is a simple *.log and the other one is a *.json?

Should I still just use e.g. the following although like 50% of the logs are not json?:

  parsers:
  - ndjson:
      keys_under_root: true
      expand_keys: true

Another solution could be:

---
- type: filestream
  paths:
    - /var/log/elasticsearch/*.json

  parsers:
  - ndjson:
      keys_under_root: true
      expand_keys: true

---
- type: filestream
  paths:
    - /var/log/elasticsearch/gc*

  - multiline:
      type: pattern
      pattern: '...'
      negate: true
      match: after

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.