Parsing JSON in JSON (docker logs)

Jeff · November 10, 2016, 1:03pm

We are parsing docker logs using filebeat 5. We parse the JSON using the following options:

json.message_key: log
json.keys_under_root: true
json.add_error_key: true

However, the log messages from the docker container are being generated using logstash-logback-encoder and are structured logs in JSON. So ideally I want to parse the JSON docker log, then parse the value of the log key in JSON again.

e.g. docker log file entry:
{"log":"{"msg": "hello", "level": "WARN"}","stream":"stdout","time":"2016-11-10T12:55:37.707457521Z"}

I would like to get msg and level as keys in the elasticsearch entry.

Is this possible?

Regards,
Jeff

steffens · November 10, 2016, 1:12pm

Sounds like this PR could become helpful in the future. Right now, additional json decoding must be done in logstash or via elasticsearch ingest node.

system · December 8, 2016, 1:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parse Elasticsearch json logs in filebeat Beats docker , journalbeat , filebeat	7	939	February 10, 2023
How to parse docker logs (nested serialized JSON) Logstash	2	2781	June 14, 2017
How to Ship/Parse JSON logs (from Kibana) to Elasticsearch? Beats filebeat	7	5794	July 20, 2018
Filebeat -> ElasticSearch for logrus running on k8s Beats filebeat	28	1646	September 26, 2022
Filebeat to logstash problem to parse json message Beats filebeat	7	1925	January 10, 2018

Parsing JSON in JSON (docker logs)

Related Topics