search

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
https://www.elastic.co/products/beats
Other
12.15k stars 4.91k forks source link

Add json.* config support in the aws-cloudwatch input #26429

Open ndtreviv opened 3 years ago

ndtreviv commented 3 years ago

filbeat config:

filebeat.inputs:
  - type: aws-cloudwatch
    log_group_arn: arn:aws:logs:us-east-1:REDACTED:log-group:/ecs/REDACTED:*
    scan_frequency: 1m
    start_position: beginning
    json.keys_under_root: true
    json.add_error_key: true
    json.message_key: message

Cloudwatch logs:

Screenshot 2021-06-23 at 08 36 43

Indexed logs:

...
"message" : """{"timestamp":"2021-06-23T07:27:36.998","level":"INFO","thread":"ForkJoinPool.commonPool-worker-3","logger":"com.mycompany.myapp.RequestHandler","message":"Processing for immediate request status: Progress={jobId=REDACTED, mediaCount=100, mediaProcessed=100, status=PROCESSING, error=null, errorCount=0, started=Wed Jun 16 05:30:52 UTC 2021, finished=null, took=null}","context":"default"}""",
...

I would have expected the json.* properties to kick in, the message field (which is all json) to be parsed as json and the resulting object keys to be put on the document. This includes overwriting the message field itself with the one in the json object. This works as expected when using a log file input.

For confirmed bugs, please report:

elasticmachine commented 3 years ago

Pinging @elastic/integrations (Team:Integrations)

ndtreviv commented 3 years ago

In case it helps, the logging was written by a springboot application using the following logging config:

<configuration>

    <springProperty scope="context" name="log_level" source="logging.level"
                    defaultValue="info"/>

    <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
        <!-- encoders are assigned the type
             ch.qos.logback.classic.encoder.PatternLayoutEncoder by default -->
        <encoder class="ch.qos.logback.core.encoder.LayoutWrappingEncoder">
            <layout class="ch.qos.logback.contrib.json.classic.JsonLayout">
                <jsonFormatter class="ch.qos.logback.contrib.jackson.JacksonJsonFormatter" />
                <timestampFormat>${LOG_DATEFORMAT_PATTERN}</timestampFormat>
                <appendLineSeparator>true</appendLineSeparator>
            </layout>
        </encoder>

    </appender>
    <root level="${log_level}">
        <appender-ref ref="STDOUT" />
    </root>
</configuration>
kaiyan-sheng commented 3 years ago

Hi @ndtreviv currently aws-cloudwatch input doesn't support the json.* options. These json options are only for log input in Filebeat. I will leave this issue open to track this enhancement. Thank you!

ravikesarwani commented 2 years ago

Putting it in hold for the time being. Can be looked at once we work on https://github.com/elastic/beats/issues/23575

botelastic[bot] commented 1 year ago

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

ndtreviv commented 1 year ago

👍🏻🙏

botelastic[bot] commented 5 months ago

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!