Having Logstash reading JSON

Question

I am trying to use logstash for analyzing a file containing JSON objects as follows:

{"Query":{"project_id":"a7565b911f324a9199a91854ea18de7e","timestamp":1392076800,"tx_id":"2e20a255448742cebdd2ccf5c207cd4e","token":"3F23A788D06DD5FE9745D140C264C2A4D7A8C0E6acf4a4e01ba39c66c7c9cbd6a123588b22dc3a24"}}
{"Response":{"result_code":"Success","project_id":"a7565b911f324a9199a91854ea18de7e","timestamp":1392076801,"http_status_code":200,"tx_id":"2e20a255448742cebdd2ccf5c207cd4e","token":"3F23A788D06DD5FE9745D140C264C2A4D7A8C0E6acf4a4e01ba39c66c7c9cbd6a123588b22dc3a24","targets":[]}}
{"Query":{"project_id":"a7565b911f324a9199a91854ea18de7e","timestamp":1392076801,"tx_id":"f7f68c7fb14f4959a1db1a206c88a5b7","token":"3F23A788D06DD5FE9745D140C264C2A4D7A8C0E6acf4a4e01ba39c66c7c9cbd6a123588b22dc3a24"}}

Ideally i'd expect Logstash to understand the JSON. I used the following config:

input {
 file {
    type => "recolog"

    format => json_event

    # Wildcards work, here :)
    path => [ "/root/isaac/DailyLog/reco.log" ]
  } 
}

output {
  stdout { debug => true }
  elasticsearch { embedded => true }
}

I built this file based on this Apache recipe

When running logstash with debug = true, it reads the objects like this: How could i see stats in the kibana GUI based on my JSON file, for example number of Query objects and even queries based on timestamp. For now it looks like it understand a very basic version of the data not the structure of it.

Thx in advance

Answer 1

I found out that logstash will automatically detect JSON byt using the codec field within the file input as follows:

input {
   stdin {
   type => "stdin-type"
 }

 file {
    type => "prodlog"

    # Wildcards work, here :)
    path => [ "/root/isaac/Mylogs/testlog.log"]

    codec => json
 }
}

output {
  stdout { debug => true }
  elasticsearch { embedded => true }
}

Then Kibana showed the fields of the JSON perfectly.