Omit non-json lines in log files while still allowing json parsing

Gregory_Zimmers · January 9, 2020, 12:29am

I've found that I'm only able to apply ['^{'] this pattern to include_lines when I omit json parsing from the yml. After reading the documentation, it implies the line_filtering is done after parsing, so if that's the case, how do I filter lines that I don't want included?

Examples below

This works

filebeat.inputs:
  - type: log
    enabled: true
    paths:
      - /applogs/*.log*
    include_lines: ['^{']
#    json.message_key: "level"
#    json.keys_under_root: true
#    json.overwrite_keys: true
processors:
  - add_fields:
      fields:
        kibanaspace: "specific-space"

This does not.

filebeat.inputs:
  - type: log
    enabled: true
    paths:
      - /applogs/*.log*
    include_lines: ['^{']
    json.message_key: "level"
    json.keys_under_root: true
    json.overwrite_keys: true
processors:
  - add_fields:
      fields:
        kibanaspace: "specific-space"

given an input log file of

{"level": "INFO", "workerId": "5cced6bb522d-10-139641205327616", "traceId": null, "message": "Metrics blah", "datetime": "20-01-09 00:17:10:446539"}
{"level": "INFO", "workerId": "5cced6bb522d-10-139641205327616", "traceId": null, "message": "Metrics blah", "datetime": "20-01-09 00:17:10:446539"}
This is a 3rd party log that I dont want captured
Another unstructured log I want filtered out

faec · January 9, 2020, 8:43pm

Yes, line filtering happens after parsing. What happens in this case is that it tries to parse the incoming log line as json, then if it succeeds, it looks for a key "level" in the json and requires that it's a string beginning with { (which is not what you want).

Right now I don't believe there's a way to really interleave json and non-json, however if you only want to keep the json entries as in your example, then you should be able to just enable json without any filtering options, as lines that can't be decoded as json are ignored by default. In that case you probably just need:

  json.keys_under_root: true
  json.overwrite_keys: true

Gregory_Zimmers · January 10, 2020, 7:16pm

For some reason, 99% of my third party logs that were not json were still being successfully parsed by filebeats and ingested by logstash/elastic. So instead, to filter out the lines that I want excluded post-filtering, I forced the existence of a field after parsing.

processors:
    - drop_event:
        when:
          not:
            has_fields: ["level"]

This worked in filtering out json parsed lines that did not contain the expected level field. I plan on adjusting my schema to conform to ECS 1.4. But this was a good first step in removing noise.

system · February 7, 2020, 7:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ignore lines which are not JSON in log file using Filebeat Beats filebeat	4	2306	July 23, 2019
Include_lines not match with "^\\{" Beats filebeat	1	267	April 7, 2020
Exclude lines regex for excluding all non json logs is not working Beats filebeat	12	3031	March 29, 2019
Want to parse multiline json logs using filebeat and logstash except non-josn logs without any failure Beats filebeat	1	1758	May 29, 2020
Using exclude_lines with json logs Beats filebeat	1	354	October 6, 2020

Omit non-json lines in log files while still allowing json parsing

Related topics