Parse Logstash.log with logstash

webofmars · May 3, 2016, 1:33pm

Hello,

That might sounds a bit silly question (or circular one...) but how do you parse logstah.log with logstash itself. I always thought that it was json format but the ':' at the start seems to say that it isn't.

tried

filter {
json {
source => "message"
}
}

and it does produce error :

{:timestamp=>"2016-05-03T15:19:21.889000+0200", :message=>"Error parsing json", :source=>"message", :raw=>"{:timestamp=>"2016-05-03T14:12:18.094000+0200", :message=>"SIGTERM received. Shutting down the pipeline.", :level=>:warn}", :exception=>#<LogStash::Json::ParserError: Unexpected character (':' (code 58)): was expecting double-quote to start field name
at [Source: [B@6f9f35c0; line: 1, column: 3]>, :level=>:warn}

magnusbaeck · May 8, 2016, 8:13pm

Yeah, Logstash's log files aren't JSON. There's no simple way of parsing them. Work is ongoing to make Logstash being able to emit JSON logfiles. I dug up the GitHub issue for this just a few days ago and posted it when someone asked the same question.