docs: follow-ups to app logs

docs/en/observability/application-logs.asciidoc

@@ -213,6 +213,11 @@ To enable these features, you'll need to parse the contents of your logs into EC
 To learn how to use the Grok processor to parse application logs before indexing,
 see {ref}/common-log-format-example.html[Example: Parse logs in the Common Log Format].
 
+[float]
+=== Step 3: View your logs in {kib}
+
+Use the <<apm,APM>> or <<monitor-logs,Logs>> UI to search, filter, and visualize your logs.
+
 [float]
 === Learn more
 
@@ -259,6 +264,12 @@ _See the Ruby or Java agent docs._
 include::./tab-widgets/filebeat-logs/widget.asciidoc[]
 :!ecs-logs:
 
+[float]
+=== Step 3: View your logs in {kib}
+
+Use the <<apm,APM>> or <<monitor-logs,Logs>> UI to search, filter, and visualize your logs.
+
+
 [[apm-agent-log-sending]]
 == APM agent log sending
 

docs/en/observability/tab-widgets/filebeat-logs/content.asciidoc

@@ -14,18 +14,21 @@ filebeat.inputs:
   paths: /path/to/logs.json
   parsers:
     - ndjson:
-      keys_under_root: true
-      overwrite_keys: true
-      add_error_key: true
-      expand_keys: true
+      overwrite_keys: true <2>
+      add_error_key: true <3>
+      expand_keys: true <4>
 
-processors:
+processors: <5>
   - add_host_metadata: ~
   - add_cloud_metadata: ~
   - add_docker_metadata: ~
   - add_kubernetes_metadata: ~
 ----
 <1> Use the filestream input to read lines from active log files.
+<2> Values from the decoded JSON object overwrite the fields that {filebeat} normally adds (type, source, offset, etc.) in case of conflicts.
+<3> {filebeat} adds an "error.message" and "error.type: json" key in case of JSON unmarshalling errors.
+<4> {filebeat} will recursively de-dot keys in the decoded JSON, and expand them into a hierarchical object structure.
+<5> Processors enhance your data. See {filebeat-ref}/filtering-and-enhancing-data.html[processors] to learn more.
 endif::ecs-logs[]
 ifdef::plaintext[]
 . Configure filebeat.yaml file to start collecting log data.
@@ -37,8 +40,10 @@ ifdef::plaintext[]
 ----
 filebeat.inputs:
 - type: filestream <1>
-  paths: /path/to/logs.log
+  paths: /path/to/logs.log <2>
 ----
+<1> Reads lines from an active log file.
+<2> A list of glob-based paths that will be crawled and fetched.
 endif::plaintext[]
 
 // end::logs[]
@@ -57,11 +62,13 @@ ifdef::ecs-logs[]
 [source,yaml]
 ----
 annotations:
-  co.elastic.logs/json.keys_under_root: true
-  co.elastic.logs/json.overwrite_keys: true
-  co.elastic.logs/json.add_error_key: true
-  co.elastic.logs/json.expand_keys: true
+  co.elastic.logs/json.overwrite_keys: true <1>
+  co.elastic.logs/json.add_error_key: true <2>
+  co.elastic.logs/json.expand_keys: true <3>
 ----
+<1> Values from the decoded JSON object overwrite the fields that {filebeat} normally adds (type, source, offset, etc.) in case of conflicts.
+<2> {filebeat} adds an "error.message" and "error.type: json" key in case of JSON unmarshalling errors.
+<3> {filebeat} will recursively de-dot keys in the decoded JSON, and expand them into a hierarchical object structure.
 endif::ecs-logs[]
 ifdef::plaintext[]
 endif::plaintext[]
@@ -82,11 +89,13 @@ ifdef::ecs-logs[]
 .docker-compose.yml
 ----
 labels:
-  co.elastic.logs/json.keys_under_root: true
-  co.elastic.logs/json.overwrite_keys: true
-  co.elastic.logs/json.add_error_key: true
-  co.elastic.logs/json.expand_keys: true
+  co.elastic.logs/json.overwrite_keys: true <1>
+  co.elastic.logs/json.add_error_key: true <2>
+  co.elastic.logs/json.expand_keys: true <3>
 ----
+<1> Values from the decoded JSON object overwrite the fields that {filebeat} normally adds (type, source, offset, etc.) in case of conflicts.
+<2> {filebeat} adds an "error.message" and "error.type: json" key in case of JSON unmarshalling errors.
+<3> {filebeat} will recursively de-dot keys in the decoded JSON, and expand them into a hierarchical object structure.
 endif::ecs-logs[]
 ifdef::plaintext[]
 endif::plaintext[]