-*- org-mode -*-

* How to parse single line JSON logs for ElasticSearch Cloud
This is going to be a brief blog post, but wanted to jot down a few things as solving this "easy" issue has taken me the better part of 4 hours.
** The Problem
I have a number of weirdly formatted logs that developers would like to be able to easily search through and get insights from. The developers control this log format,
but its an embedded environment and it's "non-trivial" to modify the format. I wrote a Perl script that will read in these developer logs and regex out
key fields I'm interested in, transforming them like so (fake data):

#+BEGIN_SRC shell
# Original log line
# LOG LEVEL # DATE & TIME      # FUNCTION NAME/LINE NUMBER # LOG MESSAGE
[DEBUG] 2020/9/10 - 13:59:23 | some_function_name 166: some log message

# PARSED LOG LINE
{"log_level":"Debug","timestamp":"2020-09-10T13:59:23","function_name":"some_function_name","line_number":"166","message":"some log message"}
#+END_SRC

After setting up this log parser and filebeat, I started processing these logs into a hosted ElasticSearch cloud instance. To my surprised, the JSON fields were
not indexed, meaning I couldn't perform KQL searches like =timestamp:2020-09*= to get all log lines from that month.

** The Solution
To Elastic's credit, it's actually incredibly simple to get this behavior with filebeat, all I needed to do was add the following to the =/etc/filebeat/filebeat.yml=
file under the =processors= field (This is on filebeat versions 7.x):

#+BEGIN_SRC yaml
processors:
 - decode_json_fields:
     fields: ["line_number","message","timestamp","function_name","log_level"]
     process_array: false
     max_depth: 1
     target: ""
     overwrite_keys: false
     add_error_key: true
#+END_SRC

The relevant documentation can be found here: https://www.elastic.co/guide/en/beats/filebeat/current/decode-json-fields.html

After creating a new index in ElasticSearch and ingesting logs to this new index, the expected KQL behavior worked.

The reason why I'm making this blog post is that it took me hours to find this documentation, as there seems to be about 1000 different ways to get this
functionality, with a number of different caveats or options depending on your use case. I may just be showing my inexperience with ElasticSearch here,
but decided to write something brief about this because it took me a while to track down.

Note: This post isn't a knock against Elastic and their products. They solve a complex issue and give users a lot of options for how to manage, index, and
search their data. I think given those options though, groking documentation can become time consuming and I wanted to try and offer a shortcut.

You are viewing proxied material from chate.io. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.