Moving from JSON to non-JSON input filter

ZillaG · March 2, 2017, 3:09pm

I've been sending our application logs via UDP wrapped in a JSON format, so the log looks something like this

{
  "key1" : "value1",
  "key2" : "value2",
  "message" : "2017-03-02 INFO com.company.app Hello world!"
}

and my Logstash input filter looks like tis

input {
  udp {
    port => 1234
    codec => json
  }
}

However Logstash gives me _jsonparsefailure when the message contains a long stack dump or an XML file. (See Help with _jsonparsefailure)

So I want to try sending my logs in a non-JSON format, and I have two questions.

Question 1:

Should I send them like this, i.e., single line

key1: value1 key2: value2 message: 2017-03-02 INFO com.company.app Hello world!

...or should I send them like this, that is, multi-lines

key1: value1 key2: value2 message: 2017-03-02 INFO com.company.app Hello world!

Question 2:
In either case, how should my input filter look like so I can separate logs from each other?

This is the main reason I wrapped the logs in JSON in the first place since they were naturally separated.

I hope that makes sense. Thanks!

system · March 30, 2017, 3:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Exctracting JSON format of data from the Input logs containing both JSON and Plain Text Logstash	4	500	September 7, 2018
Logstash parse only JSON messages Logstash	3	376	June 29, 2018
Logstash Filter help - Newbie question Logstash	6	315	February 17, 2022
Json filter question Logstash	3	315	July 6, 2017
Mixed JSON input and Other Log files with Multiline codec Logstash	4	1814	July 6, 2017