Hi, I'm including my dockers json logs to the ELK stack, but I can't send them to ES and I don't know why not
My filebeat shipper look like this:
- type: log paths: json.message_key: log json.keys_under_root: true fields.doc_type: json_docker
My Logstash config file just do this:
output { if [fields][doc_type] == "json_docker" { elasticsearch { hosts => ["10.0.11.30:9200"] sniffing => true manage_template => false index => "%{host}_json-%{+YYYY.MM.dd}" } } }
With keys_under_root enabled the doc_type field won't end up under fields. Dump the event with a stdout { codec => rubydebug } to inspect exactly what you have.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.