I'm using filebeat to send JSON logs to elasticsearch->kibana.
Here is my filebeat.inputs config params:
filebeat.inputs:
- type: log
enabled: true
paths:
- /home/ubuntu/testlog.*
json.keys_under_root: true
json.add_error_key: true
json.overwrite_keys: true
ignore_decoding_error: true
The following json log is not sent to elasticsearch:
{"name":{"f_name":"john","l_name":"d"}}
But when I change the key "name" to something like "name1" as following:
{"name1":{"f_name":"john","l_name":"d"}}
It works.
I wonder if there are any conflicts? If yes I should be able to see that in filebeat log but even that doesn't have any info on that. I'm looking for filebeats under /var/log/filebeat/filebeat but I can't see any Error.
Few more Json structures that works fine:
{"name":"john"}
{"name":"john", "email":"xyz"}