Parsing dockers files with logstash

Asier_Saluena · March 13, 2018, 10:42am

Hi, I'm including my dockers json logs to the ELK stack, but I can't send them to ES and I don't know why not
My filebeat shipper look like this:

- type: log
paths:
json.message_key: log
json.keys_under_root: true
fields.doc_type: json_docker

My Logstash config file just do this:

output {
    if [fields][doc_type] == "json_docker" {
      elasticsearch {
        hosts => ["10.0.11.30:9200"]
        sniffing => true
        manage_template => false
        index => "%{host}_json-%{+YYYY.MM.dd}"
      }
    }
}

magnusbaeck · March 13, 2018, 11:01am

With keys_under_root enabled the doc_type field won't end up under fields. Dump the event with a stdout { codec => rubydebug } to inspect exactly what you have.

system · April 10, 2018, 11:01am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parsing JSON in JSON (docker logs) Beats filebeat	2	1798	December 8, 2016
Logstash parse docker container log Logstash	2	1648	March 18, 2019
Moving JSON inner field to root level Beats filebeat	2	957	September 20, 2018
Parse Elasticsearch json logs in filebeat Beats docker , journalbeat , filebeat	7	944	February 10, 2023
Docker logs to ES with FileBeat Beats filebeat	5	1982	January 25, 2017

Parsing dockers files with logstash

Related topics