How to Use JSON with Logstash?

Better Stack Team
Updated on April 16, 2024

If you have JSON-formatted logs that you want to ingest and process with Logstash, follow these steps:

Assuming you have logs in the following JSON format:

 
{"status": 200, "ip": "127.0.0.1", "level": 30, "msg": "Connected to database", "pid": 17089, "timestamp": 1696150204}
{"status": 200, "ip": "127.0.0.1", "level": 30, "msg": "Task completed successfully", "pid": 17089, "timestamp": 1696150207}

You can read these JSON logs with the following Logstash configuration:

/etc/logstash/conf.d/logstash.conf
input {
  file {
    type => "json"
    path => "/var/log/mylogs.log"
  }
}

filter {
  json {
    source => "message"
  }
}

output {
  file {
    path => "/var/log/out.log"
  }
}

This Logstash configuration reads JSON data from /var/log/mylogs.log, parses it using the JSON filter, and outputs the processed data to /var/log/out.log. Each incoming event (or log line) has the JSON message field parsed, and the resulting structured data is written to the output file.

Got an article suggestion? Let us know
Explore more
Licensed under CC-BY-NC-SA

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Make your mark

Join the writer's program

Are you a developer and love writing and sharing your knowledge with the world? Join our guest writing program and get paid for writing amazing technical guides. We'll get them to the right readers that will appreciate them.

Write for us
Writer of the month
Marin Bezhanov
Marin is a software engineer and architect with a broad range of experience working...
Build on top of Better Stack

Write a script, app or project on top of Better Stack and share it with the world. Make a public repository and share it with us at our email.

community@betterstack.com

or submit a pull request and help us build better products for everyone.

See the full list of amazing projects on github