diff --git a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl index a1c7166cac0..9f3eeb101ae 100644 --- a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl +++ b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl @@ -293,6 +293,101 @@ filebeat.inputs: # original for harvesting but will report the symlink name as source. #prospector.scanner.symlinks: false + ### Parsers configuration + + #### JSON configuration + + #parsers: + #- ndjson: + # Decode JSON options. Enable this if your logs are structured in JSON. + # JSON key on which to apply the line filtering and multiline settings. This key + # must be top level and its value must be a string, otherwise it is ignored. If + # no text key is defined, the line filtering and multiline features cannot be used. + #message_key: + + # By default, the decoded JSON is placed under a "json" key in the output document. + # If you enable this setting, the keys are copied to the top level of the output document. + #keys_under_root: false + + # If keys_under_root and this setting are enabled, then the values from the decoded + # JSON object overwrite the fields that Filebeat normally adds (type, source, offset, etc.) + # in case of conflicts. + #overwrite_keys: false + + # If this setting is enabled, then keys in the decoded JSON object will be recursively + # de-dotted, and expanded into a hierarchical object structure. + # For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`. + #expand_keys: false + + # If this setting is enabled, Filebeat adds an "error.message" and "error.key: json" key in case of JSON + # unmarshaling errors or when a text key is defined in the configuration but cannot + # be used. + #add_error_key: false + + #### Multiline options + + # Multiline can be used for log messages spanning multiple lines. This is common + # for Java Stack Traces or C-Line Continuation + + #parsers: + #- multiline: + #type: pattern + # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [ + #pattern: ^\[ + + # Defines if the pattern set under the pattern setting should be negated or not. Default is false. + #negate: false + + # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern + # that was (not) matched before or after or as long as a pattern is not matched based on negate. + # Note: After is the equivalent to previous and before is the equivalent to next in Logstash + #match: after + + # The maximum number of lines that are combined to one event. + # In case there are more than max_lines the additional lines are discarded. + # Default is 500 + #max_lines: 500 + + # After the defined timeout, a multiline event is sent even if no new pattern was found to start a new event + # Default is 5s. + #timeout: 5s + + # Do not add new line character when concatenating lines. + #skip_newline: false + + # To aggregate constant number of lines into a single event use the count mode of multiline. + + #parsers: + #- multiline: + #type: count + + # The number of lines to aggregate into a single event. + #count_lines: 3 + + # The maximum number of lines that are combined to one event. + # In case there are more than max_lines the additional lines are discarded. + # Default is 500 + #max_lines: 500 + + # After the defined timeout, an multiline event is sent even if no new pattern was found to start a new event + # Default is 5s. + #timeout: 5s + + # Do not add new line character when concatenating lines. + #skip_newline: false + + #### Parsing container events + + # You can parse container events with different formats from all streams. + + #parsers: + #- container: + # Source of container events. Available options: all, stdin, stderr. + #stream: all + + # Format of the container events. Available options: auto, cri, docker, json-file + #format: auto + ### Log rotation # When an external tool rotates the input files with copytruncate strategy diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index 29236fe4bf3..c2ac42cf320 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -700,6 +700,101 @@ filebeat.inputs: # original for harvesting but will report the symlink name as source. #prospector.scanner.symlinks: false + ### Parsers configuration + + #### JSON configuration + + #parsers: + #- ndjson: + # Decode JSON options. Enable this if your logs are structured in JSON. + # JSON key on which to apply the line filtering and multiline settings. This key + # must be top level and its value must be a string, otherwise it is ignored. If + # no text key is defined, the line filtering and multiline features cannot be used. + #message_key: + + # By default, the decoded JSON is placed under a "json" key in the output document. + # If you enable this setting, the keys are copied to the top level of the output document. + #keys_under_root: false + + # If keys_under_root and this setting are enabled, then the values from the decoded + # JSON object overwrite the fields that Filebeat normally adds (type, source, offset, etc.) + # in case of conflicts. + #overwrite_keys: false + + # If this setting is enabled, then keys in the decoded JSON object will be recursively + # de-dotted, and expanded into a hierarchical object structure. + # For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`. + #expand_keys: false + + # If this setting is enabled, Filebeat adds an "error.message" and "error.key: json" key in case of JSON + # unmarshaling errors or when a text key is defined in the configuration but cannot + # be used. + #add_error_key: false + + #### Multiline options + + # Multiline can be used for log messages spanning multiple lines. This is common + # for Java Stack Traces or C-Line Continuation + + #parsers: + #- multiline: + #type: pattern + # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [ + #pattern: ^\[ + + # Defines if the pattern set under the pattern setting should be negated or not. Default is false. + #negate: false + + # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern + # that was (not) matched before or after or as long as a pattern is not matched based on negate. + # Note: After is the equivalent to previous and before is the equivalent to next in Logstash + #match: after + + # The maximum number of lines that are combined to one event. + # In case there are more than max_lines the additional lines are discarded. + # Default is 500 + #max_lines: 500 + + # After the defined timeout, a multiline event is sent even if no new pattern was found to start a new event + # Default is 5s. + #timeout: 5s + + # Do not add new line character when concatenating lines. + #skip_newline: false + + # To aggregate constant number of lines into a single event use the count mode of multiline. + + #parsers: + #- multiline: + #type: count + + # The number of lines to aggregate into a single event. + #count_lines: 3 + + # The maximum number of lines that are combined to one event. + # In case there are more than max_lines the additional lines are discarded. + # Default is 500 + #max_lines: 500 + + # After the defined timeout, an multiline event is sent even if no new pattern was found to start a new event + # Default is 5s. + #timeout: 5s + + # Do not add new line character when concatenating lines. + #skip_newline: false + + #### Parsing container events + + # You can parse container events with different formats from all streams. + + #parsers: + #- container: + # Source of container events. Available options: all, stdin, stderr. + #stream: all + + # Format of the container events. Available options: auto, cri, docker, json-file + #format: auto + ### Log rotation # When an external tool rotates the input files with copytruncate strategy diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index ab9dab7c32c..50a91b1d4a8 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -2765,6 +2765,101 @@ filebeat.inputs: # original for harvesting but will report the symlink name as source. #prospector.scanner.symlinks: false + ### Parsers configuration + + #### JSON configuration + + #parsers: + #- ndjson: + # Decode JSON options. Enable this if your logs are structured in JSON. + # JSON key on which to apply the line filtering and multiline settings. This key + # must be top level and its value must be a string, otherwise it is ignored. If + # no text key is defined, the line filtering and multiline features cannot be used. + #message_key: + + # By default, the decoded JSON is placed under a "json" key in the output document. + # If you enable this setting, the keys are copied to the top level of the output document. + #keys_under_root: false + + # If keys_under_root and this setting are enabled, then the values from the decoded + # JSON object overwrite the fields that Filebeat normally adds (type, source, offset, etc.) + # in case of conflicts. + #overwrite_keys: false + + # If this setting is enabled, then keys in the decoded JSON object will be recursively + # de-dotted, and expanded into a hierarchical object structure. + # For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`. + #expand_keys: false + + # If this setting is enabled, Filebeat adds an "error.message" and "error.key: json" key in case of JSON + # unmarshaling errors or when a text key is defined in the configuration but cannot + # be used. + #add_error_key: false + + #### Multiline options + + # Multiline can be used for log messages spanning multiple lines. This is common + # for Java Stack Traces or C-Line Continuation + + #parsers: + #- multiline: + #type: pattern + # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [ + #pattern: ^\[ + + # Defines if the pattern set under the pattern setting should be negated or not. Default is false. + #negate: false + + # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern + # that was (not) matched before or after or as long as a pattern is not matched based on negate. + # Note: After is the equivalent to previous and before is the equivalent to next in Logstash + #match: after + + # The maximum number of lines that are combined to one event. + # In case there are more than max_lines the additional lines are discarded. + # Default is 500 + #max_lines: 500 + + # After the defined timeout, a multiline event is sent even if no new pattern was found to start a new event + # Default is 5s. + #timeout: 5s + + # Do not add new line character when concatenating lines. + #skip_newline: false + + # To aggregate constant number of lines into a single event use the count mode of multiline. + + #parsers: + #- multiline: + #type: count + + # The number of lines to aggregate into a single event. + #count_lines: 3 + + # The maximum number of lines that are combined to one event. + # In case there are more than max_lines the additional lines are discarded. + # Default is 500 + #max_lines: 500 + + # After the defined timeout, an multiline event is sent even if no new pattern was found to start a new event + # Default is 5s. + #timeout: 5s + + # Do not add new line character when concatenating lines. + #skip_newline: false + + #### Parsing container events + + # You can parse container events with different formats from all streams. + + #parsers: + #- container: + # Source of container events. Available options: all, stdin, stderr. + #stream: all + + # Format of the container events. Available options: auto, cri, docker, json-file + #format: auto + ### Log rotation # When an external tool rotates the input files with copytruncate strategy