Topbeat json event, fieldname when sending to logstash


(Arjun Agarwal) #1

Plzz.. do let me know the name of the field which store the complete json event generated by topbeat when we are sending data from topbeat to logstash ?? or How can we store and get json events generated by topbeat in a field like message or source etc.. while sending them only to logstash??


(Monica Sarbu) #2

Starting with 5.0 release Topbeat is replaced with the system module in Metricbeat. The system module sends the data out already parsed. Here is an example of a JSON object that is sent out by the system module in Metricbeat that is similar with what Topbeat sends:

{
  "@timestamp": "2016-07-19T08:08:00.713Z",
  "beat": {
    "hostname": "mar.local",
    "name": "mar.local"
  },
  "metricset": {
    "module": "system",
    "name": "process",
    "rtt": 24574
  },
  "system": {
    "process": {
      "cmdline": "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow console",
      "cpu": {
        "start_time": "Jul08",
        "total": {
          "pct": 0
        }
      },
      "memory": {
        "rss": {
          "bytes": 21757952,
          "pct": 0.0013
        },
        "share": 0,
        "size": 2688053248
      },
      "name": "loginwindow",
      "pid": 93,
      "ppid": 1,
      "state": "running",
      "username": "monica"
    }
  },
  "type": "metricsets"
}

After the JSON object arrives in Elasticsearch, you can simply search for any of the field for example system.process.cmdline to get the command line.
Please let me know if you have any questions.


(Arjun Agarwal) #3

Thanks for metricbeat suggestion. !!!
I want to know the name of the field(source or something) in which the complete event which you posted above is stored.
I am sending the data from logstash to some db not to elasticsearch. Is there any way through which i can store this complete event as a json object in any field in logstash??


(Steffen Siering) #4

Can you share your beats output config and your logstash input config?

If logstash is configured correctly, there is no particular json stored in any field, but logstash will receive and handle the full event as posted by @monica.


(Arjun Agarwal) #5

@steffens logstash does not stores any json in a field. It's my requirement where i want that full event to be stored in any particular field in logstash, similar to what we get in _source field in elasticsearch. This _source kind of field i need in logstash where i could get the complete json event sent by beats. So can you help me with the name of that field if exists or any way to store that event in a field.

Thanks


(Steffen Siering) #6

have you checked the logstash filter config documentation. Maybe you can use the ruby filter to wrap/munge the event to your likings.


(system) #7

This topic was automatically closed after 21 days. New replies are no longer allowed.