diff --git a/docs/en/observability/application-logs.asciidoc b/docs/en/observability/application-logs.asciidoc index 4220e133d3..a17835b833 100644 --- a/docs/en/observability/application-logs.asciidoc +++ b/docs/en/observability/application-logs.asciidoc @@ -213,6 +213,11 @@ To enable these features, you'll need to parse the contents of your logs into EC To learn how to use the Grok processor to parse application logs before indexing, see {ref}/common-log-format-example.html[Example: Parse logs in the Common Log Format]. +[float] +=== Step 3: View your logs in {kib} + +Use the <> or <> UI to search, filter, and visualize your logs. + [float] === Learn more @@ -259,6 +264,12 @@ _See the Ruby or Java agent docs._ include::./tab-widgets/filebeat-logs/widget.asciidoc[] :!ecs-logs: +[float] +=== Step 3: View your logs in {kib} + +Use the <> or <> UI to search, filter, and visualize your logs. + + [[apm-agent-log-sending]] == APM agent log sending diff --git a/docs/en/observability/tab-widgets/filebeat-logs/content.asciidoc b/docs/en/observability/tab-widgets/filebeat-logs/content.asciidoc index 5aff3a7818..2a2968810e 100644 --- a/docs/en/observability/tab-widgets/filebeat-logs/content.asciidoc +++ b/docs/en/observability/tab-widgets/filebeat-logs/content.asciidoc @@ -14,18 +14,21 @@ filebeat.inputs: paths: /path/to/logs.json parsers: - ndjson: - keys_under_root: true - overwrite_keys: true - add_error_key: true - expand_keys: true + overwrite_keys: true <2> + add_error_key: true <3> + expand_keys: true <4> -processors: +processors: <5> - add_host_metadata: ~ - add_cloud_metadata: ~ - add_docker_metadata: ~ - add_kubernetes_metadata: ~ ---- <1> Use the filestream input to read lines from active log files. +<2> Values from the decoded JSON object overwrite the fields that {filebeat} normally adds (type, source, offset, etc.) in case of conflicts. +<3> {filebeat} adds an "error.message" and "error.type: json" key in case of JSON unmarshalling errors. +<4> {filebeat} will recursively de-dot keys in the decoded JSON, and expand them into a hierarchical object structure. +<5> Processors enhance your data. See {filebeat-ref}/filtering-and-enhancing-data.html[processors] to learn more. endif::ecs-logs[] ifdef::plaintext[] . Configure filebeat.yaml file to start collecting log data. @@ -37,8 +40,10 @@ ifdef::plaintext[] ---- filebeat.inputs: - type: filestream <1> - paths: /path/to/logs.log + paths: /path/to/logs.log <2> ---- +<1> Reads lines from an active log file. +<2> A list of glob-based paths that will be crawled and fetched. endif::plaintext[] // end::logs[] @@ -57,11 +62,13 @@ ifdef::ecs-logs[] [source,yaml] ---- annotations: - co.elastic.logs/json.keys_under_root: true - co.elastic.logs/json.overwrite_keys: true - co.elastic.logs/json.add_error_key: true - co.elastic.logs/json.expand_keys: true + co.elastic.logs/json.overwrite_keys: true <1> + co.elastic.logs/json.add_error_key: true <2> + co.elastic.logs/json.expand_keys: true <3> ---- +<1> Values from the decoded JSON object overwrite the fields that {filebeat} normally adds (type, source, offset, etc.) in case of conflicts. +<2> {filebeat} adds an "error.message" and "error.type: json" key in case of JSON unmarshalling errors. +<3> {filebeat} will recursively de-dot keys in the decoded JSON, and expand them into a hierarchical object structure. endif::ecs-logs[] ifdef::plaintext[] endif::plaintext[] @@ -82,11 +89,13 @@ ifdef::ecs-logs[] .docker-compose.yml ---- labels: - co.elastic.logs/json.keys_under_root: true - co.elastic.logs/json.overwrite_keys: true - co.elastic.logs/json.add_error_key: true - co.elastic.logs/json.expand_keys: true + co.elastic.logs/json.overwrite_keys: true <1> + co.elastic.logs/json.add_error_key: true <2> + co.elastic.logs/json.expand_keys: true <3> ---- +<1> Values from the decoded JSON object overwrite the fields that {filebeat} normally adds (type, source, offset, etc.) in case of conflicts. +<2> {filebeat} adds an "error.message" and "error.type: json" key in case of JSON unmarshalling errors. +<3> {filebeat} will recursively de-dot keys in the decoded JSON, and expand them into a hierarchical object structure. endif::ecs-logs[] ifdef::plaintext[] endif::plaintext[]