Parsing JSON in JSON (docker logs)

Jeff · November 10, 2016, 1:03pm

We are parsing docker logs using filebeat 5. We parse the JSON using the following options:

json.message_key: log
json.keys_under_root: true
json.add_error_key: true

However, the log messages from the docker container are being generated using logstash-logback-encoder and are structured logs in JSON. So ideally I want to parse the JSON docker log, then parse the value of the log key in JSON again.

e.g. docker log file entry:
{"log":"{"msg": "hello", "level": "WARN"}","stream":"stdout","time":"2016-11-10T12:55:37.707457521Z"}

I would like to get msg and level as keys in the elasticsearch entry.

Is this possible?

Regards,
Jeff

steffens · November 10, 2016, 1:12pm

Sounds like this PR could become helpful in the future. Right now, additional json decoding must be done in logstash or via elasticsearch ingest node.

system · December 8, 2016, 1:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Docker logs not parsed Beats docker , filebeat	3	511	May 19, 2020
How to parse json.log using filebeat 6.2 Beats filebeat	3	447	July 23, 2019
Architecturally should filebeat handle nested json parsing or should it be moved to logstash? Beats filebeat	5	1849	September 21, 2016
Parse Elasticsearch json logs in filebeat Beats docker , journalbeat , filebeat	7	943	February 10, 2023
Parse json from inside message Beats docker , filebeat	6	2494	April 21, 2021

Parsing JSON in JSON (docker logs)

Related topics