I have multiple Kubernetes clusters sending logs to S3 , then I use logstash to read logs off S3 files. Some logs messages are in JSON , others in structured format.
How to dynamically detect and parse JSON , and save non-JSON as it is. I use this filter but not working.
filter {
if [message] =~ "\A\{.+\}\z" {
json {
source => "message"
}
mutate { add_field => { "json_detected" => "This is json log" } }
}
}
Thanks
You could try always using a json filter. If you get a _jsonparsefailure then it is not JSON, so process it as a structured log.
Unless your structured logs look a lot like JSON it is going to be pretty cheap for the json filter to notice that [message] does not start with a {
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.