-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
json.overwrite_keys causes filebeat to panic #6381
Comments
@vbohata I try to reproduce your problem This is reproduce with potential fix: https://github.com/ewgRa/beats/commit/679397f1488acc6eeb2b92376e64d41a7913e994 But problem that it fix just a panic, but looks like overwrite_keys functionality not working right now, and looks like #4554 is a reason. Problem that in json.go, at MergeJSONFields there is create Event: event := &beat.Event{, but in return there is only return event.Timestamp and created event.Meta not used at all. And this event.Meta that was overwritten, not goes to new pipeline processor, in event.go makeEvent function, in.Meta probably always nil. So, I think problem is deeper, and functionality, related to overwrite_keys not working. @urso can you confirm? |
Ok, looks like this is solution, that says that I'm right: https://github.com/ewgRa/beats/commit/b5a60f3b8a983195b75b3b429a3641d14377ea04, but I'm not sure that it is a best, 100% clean and not broke something else. |
PR #6509, not sure that 100% clean and do not broke anything, can be used as base for better fix. |
This issu should be documented at https://www.elastic.co/guide/en/beats/filebeat/current/decode-json-fields.html |
I hit the same problem while trying to use Filebeat to ingest the JSON output from another Beat.
I also get a panic using
Tested with version 375b5cc. Patching with this seems to help:
|
I have the same problem with the latest version of filebeat when reading outout from auditbeat. The versions:
The stackm is quite similar:
|
This problem is also reported in this topic in discuss: https://discuss.elastic.co/t/importing-metricbeat-events-from-json-file-to-elastic-using-filebeat/212457 There they are trying to use filebeat to read output from metricbeat, but it seems to happen with any json object that contains a non-empty
And these json settings:
|
I am also affected by this. Very same scenario as @arcenik. Any ideas on possible workarounds? Maybe using some processors on both beats ends? EDIT:
The only annoying thing is that the original event timestamp gets overwritten by filebeat. I tried adding a I'll post an update if I find a way to get the timestamp right. Also any suggestions are welcome :) |
I am also seeing this issue when using functionbeat to export logs from cloudwatch that were previously processed by filebeat. The only work around I have found so far is to decode_json_fields into a target like "original", and then drop_fields and copy_fields to flatten it out and simulate overwrite_keys. Unfortunately this doesn't work for the @timestamp field, and there is no timestamp processor in functionbeat. |
I am using one instance of filebeat to store docker logs in local log file, each line is json. Another filebeat is reading this file and sending the logs to elasticsearch. This second filebeat does not work if I enable json.overwrite_keys: true.
My config:
Filebeat log:
Example entry from /app/volumes/logs/docker-json.log:
{"@timestamp":"2018-02-14T08:58:13.484Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.2.1"},"stream":"stdout","message":"[2018-02-14T09:58:13,483][INFO ][logstash.agent ] Pipelines running {:count=\u003e2, :pipelines=\u003e[".monitoring-logstash", "beatsmain"]}","prospector":{"type":"docker"},"docker":{"container":{"id":"48425cf7a58af112ff950ddcebe06968aed2d589bd9729422e98a4c9f7bd2a56","name":"els","image":"localhost/elk/logstash:latest","labels":{"com":{"docker":{"compose":{"version":"1.18.0","config-hash":"0993dddd4bf7d23bb20d04392b9fcb853da11d00a4b5d615ecf31af2be02f26b","container-number":"1","oneoff":"False","project":"elspo","service":"logstash"}}}}}},"beat":{"version":"6.2.1","name":"myname","hostname":"7a0006d02784"},"source":"/var/lib/docker/containers/48425cf7a58af112ff950ddcebe06968aed2d589bd9729422e98a4c9f7bd2a56/48425cf7a58af112ff950ddcebe06968aed2d589bd9729422e98a4c9f7bd2a56-json.log","offset":21400}
Affected filebeat versions: at least 6.1.x, 6.2.x
The text was updated successfully, but these errors were encountered: