Menu
I am using Bunyan and bunyas-lumberjack to send my logs to log stash and index them in elastic search. The problem I am facing is when I am filtering the logs: I am using a basic filter for Logstash :
filter {
if [type == "json"]{
json {
source => "message"
}
}
}
that puts the JSON from bunyan into the source.message field and indexes it in elastic search. How can I index every field from bunyan into a particular elastic search field so I can search over it or use it in Kibana ?
I am attaching what I have obtained now and what I want to obtain as example. Currently:
{
"_index": "logstash-2015.10.26",
"_type": "json",
"_id": "AVCjvDHWHiX5VLMgQZIC",
"_score": null,
"_source": {
"message": "{\"name\":\"myLog\",\"hostname\":\"atnm-4.local\",\"pid\":6210,\"level\":\"error\",\"message\":\"This should work!\",\"@timestamp\":\"2015-10-26T10:40:29.503Z\",\"tags\":[\"bunyan\"],\"source\":\"atnm-4.local/node\"}",
"@version": "1",
"@timestamp": "2015-10-26T10:40:31.184Z",
"type": "json",
"host": "atnm-4.local",
"bunyanLevel": "50"
},
Wanted:
{
"_index": "logstash-2015.10.26",
"_type": "json",
"_id": "AVCjvDHWHiX5VLMgQZIC",
"_score": null,
"_source": {
"message": {
"name": example,
"hostname": example,
"etc": example
282
Each input in logstash can have different codec and type. In your case, if you want to index bunyan and syslog, you'll have two inputs with two different types. The syslog will have codec "plain", the bunyan will have "json". You do not need any filter for the bunyan messages. The json will be parsed and the fields will appear automagically. You will have to have a filter to parse the syslog input.
170
answered Jun 12 '26 13:06
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With