we have a python application logging to syslog in json format but syslog allows appends a timestamp with the json message,
Jan 26 11:07:14 mkobit-ThinkPad {"@source_host": "mkobit-ThinkPad", "module": "pyscratch", "lineno": 63, "pathname": "pyscratch.py", "funcName": "", "message": "HEY there!", "levelname": "INFO", "@timestamp": "2018-01-26T17:07:14.743Z"}
can filebeat handle such a message with this type of format?
Hello @ramzey1981,
Out of the box you won't be able to parse that kind of message, you will either need to send the message to an ingest pipeline or Logstash and the beats input for more event parsing using grok and the json decoder.
Thanks
thanks Pier,
Yes we thought that json decode would be able to do it but after reading the documentation seems like the first two strings has to be an actual json object which its really not because of the format.
If i send this to logstash i an grok the first field as timestamp and the second filed has hostname or source but then what would I do with the json message field?
@ramzey1981 Use grok filter to extract the3 fields:
After use the logstash-filer-json on the json_source field.
This scenario will work on either Logstash or the ingest pipeline, since they can both work with this kind of data.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.