Json forwarding (multiple fields)


I'm trying to set up json forwarding from our filebeats to our logstash which will eventually forward it to the correct index in ElasticSearch. For several logs this works but one specific one fails for us and it looks like this:


I've tested several scenarios and concluded that it fails due to the 'extraProperties' field, when I copy/paste a line and edit it in the same file it does get send to the correct index. But the above log line is a valid JSON so I don't get why it fails and it also doesn't show up as failed since we check for the '_jsonparsefailure' tag in our logstash configuration.

The filebeat configuration looks as follows:

  • type: log
    • /var/log/test-session/access*.log
      env: qa
      server: cordocker01.qa.test.be
      app: tarification-session-access
      logstash_template: access-logs
      fields_under_root: true
      json.keys_under_root: true
      json.add_error_key: true
      json.overwrite_keys: true

Has anybody else experienced this issue or is this just not possible?

Thank you for your help!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.