Multiple Beat Imports different codec

ado · September 22, 2016, 8:52am

Hi,

I do use on client side top, packet and filebeat.
The filebeat service ready log file which is json formatted per line.
filebeat.yml

filebeat:
    prospectors:
        -
            paths:
                - /srv/ucweb/logs/main*.txt
            input_type: log
output:
    logstash:
        hosts: ["xxxxxx"]
        index: filebeat

On server side all beat services first send their data to a logstash with beat import
logstash.config on server:

input {
    beats {
        port => 5044
        # codec => "json_lines"
        type => "packetbeat"
    }
}

output {
    elasticsearch {
        hosts => "127.0.0.1:9200"
        manage_template => false
        index => "%{[@metadata][beat]}"
        document_type => "%{[@metadata][type]}"
    }
}

My problem is that the JSON content from the logs are just a string in the elasticsearch db. Under the "message" tag. If I comment in codec => "json_lines" no data from filebeat is imported to elasticsearch.

Thank you very much

ado · September 22, 2016, 9:25am

The trick was just to use

codec => "json"

instead of

codec => "json_lines"

Itrs strange because the logfiles i used where JSON line determinated linke
{"a": "b"}\n
{"a": "c"}....

Topic		Replies	Views
Parse / ship JSON file with filebeat Beats filebeat	6	17503	July 5, 2017
SImple direct from log file JSON to elasticsearch Beats	4	1210	October 13, 2016
Filebeat: Payload Format Beats	2	1107	July 5, 2017
Using Logstash to ingest Topbeat data that is output in file mode Beats	3	1313	July 5, 2017
Filebeats input json_lines only processing single entry Logstash	3	1854	November 19, 2018

Multiple Beat Imports different codec

Related topics