Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add mode to generate event per line of command output #11

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add mode to generate event per line of command output #11

wants to merge 2 commits into from

Conversation

Jahor
Copy link

@Jahor Jahor commented Mar 5, 2017

Hi,

I needed a mode in which external app will produce several lines of output that can be indexed in Elasticsearch separately.

In my case it will be a JSON objects per line which in conjunction with decode_json_fields processor will spare me time implementing custom beat for getting metrics from RabbitMQ API.

It produces events like this:

{
  "@timestamp": "2017-03-05T05:23:04.003Z",
  "beat": {
    "hostname": "host",
    "name": "name",
    "version": "3.1.1"
  },
  "line": {
    "command": "bash",
    "exitCode": 0,
    "line": "{\"test1\": {\"message\": \"hello\"}}",
    "line_number": 0,
    "source": "stdout"
  },
  "type": "execbeat"
}

{
  "@timestamp": "2017-03-05T05:23:04.003Z",
  "beat": {
    "hostname": "host",
    "name": "name",
    "version": "3.1.1"
  },
  "line": {
    "command": "bash",
    "exitCode": 0,
    "line": "{\"test2\": {\"message\": \"world\"}}",
    "line_number": 1,
    "source": "stdout"
  },
  "type": "execbeat"
}

from

{"test1": {"message": "hello"}}
{"test2": {"message": "world"}}

@jautz
Copy link

jautz commented Jun 19, 2017

@christiangalsterer, what do you think about this feature in general? That is, some possibility to produce multiple documents from one execbeat command invocation? I am just curious about the "roadmap".

@christiangalsterer
Copy link
Owner

Hi @jautz,

sorry for the late feedback. In general I think this is a very nice feature. I think it would address #22 isn't it?

I will look into it the next days.

@christiangalsterer christiangalsterer modified the milestones: 3.3.0, 3.4.0 Nov 1, 2017
@christiangalsterer
Copy link
Owner

Here some ideas where it would be great if you can share your thoughts.

Instead of creating a new line field what about returning the existing exec field but adding the line_number as an additional optional field?

You also return the output in the line field and denote the source with a new source field. In the line _node=false mode the result is returned in two different fields. As I would like to keep the output consistent was there a special reason for this or was this just personell preference?

@jautz
Copy link

jautz commented Nov 2, 2017

Thanks for your reply. Yes, it seems to be a solution for #22.
To be honest, I do not use beats anymore for the specific problem I wanted to address with this multi-event feature. Therefore anyone else who needs this should speak up and let Christian know about the demand.

@StyXman
Copy link

StyXman commented Aug 17, 2018

Any news about this? I do think it's useful, for instance for easily obtaining metrics from things for which there are no support yet, like SMART for disks, custom systems, and more.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
3.4.0
Development

Successfully merging this pull request may close these issues.
4 participants
@Jahor @jautz @christiangalsterer @StyXman