Parsing Json Logs

Hi Guys

I'm new to Elastic and have been searching lots to try and find an answer.

I have a multiline JSON that I'm trying to create a single event for.

The Json looks like this:

   {
    "SourceInfo":  "C:\\Modules\\User\\xTestCompositeModule\\DSCResources\\cTestBaseline\\cTestBaseline.schema.psm1::33::1::File"
    "ModuleName":  "PSDesiredStateConfiguration"
    "DurationInSeconds":  "0"
    "InstanceName":  "TestFolder::[cTestBaseline]Baseline"
    "StartDate":  "2018-03-28T10:51:54.4820000+13:00"
    "ResourceName":  "File"
    "ModuleVersion":  "1.1"
    "RebootRequested":  "False"
    "ResourceId":  "[File]TestFolder::[cTestBaseline]Baseline"
    "ConfigurationName":  "ServerConfigV2"
    "InDesiredState":  "True"
}

My filebeat config is:

filebeat.prospectors:

• paths:
  • C:\Log*.*
    input_type: log
    multiline.pattern: '^{'
    multiline.negate: true
    multiline.match: after

processors:

• decode_json_fields:
  fields: ['message']
  target: json

output.elasticsearch:
hosts: ["http://172.17.16.103:9200"]

Only issue I'm getting is that all the fields are contained inside the message field on Elasticsearch.

dscpic.JPG1208×213 29 KB

thanks in advance for the help.

The target config should do the job here: https://www.elastic.co/guide/en/beats/filebeat/current/decode-json-fields.html As you already have this in I'm wondering if perhaps something is off with the indentation of the config. Can you put 3 ticks before and after your config to make sure the formatting appears correctly in the post?

Which version of Filebeat are you using?
I assume you want all fields to show up under the json key.

Hi Ruflin

thank you for the response. If you say my config looks correct then let me play and make sure my indentation is correct. Then I will post back once I'm done.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.