Gustavo Chaín
Reputation: 943
Parse docker logs with logstash
I have a docker container that log to stdout/stderr. Docker save it's output into /var/lib/docker/containers//-logs.json
The log has lines with the following structure
{"log":"This is a message","stream":"stderr","time":"2015-03-12T19:27:27.310818102Z"}
which input/codec/filter should I use to get only the log field as the message ?
Thanks!
Upvotes: 1
Views: 3631
Answers (1)
Magnus Bäck
Reputation: 11581
Use the json codec to parse the JSON string (you could instead use the json filter), then rename the "log" field to "message" with the mutate filter and finally use the date filter to parse the "time" field.
filter {
mutate {
rename => ["log", "message"]
}
date {
match => ["time", "ISO8601"]
remove_field => ["time"]
}
}
Upvotes: 2
Related Questions
- Best way to send docker container logs to logstash
- Correct way to parse docker JSON logs in promtail
- Docker logs, stderr
- Logging to logstash from python
- Logstash Docker image configuration
- Writing python log files to logstash
- Parse Server Logs in Docker?
- using syslog to ship the docker container logs to logstash
- How to configure Logstash to parse AWS ELB logs?
- Logstash syslog input from docker container