How to configure a Filebeat httpjson input

A Filebeat httpjson input pulls events from REST-style HTTP APIs into the same ingest flow as logs, keeping audit trails and third‑party telemetry searchable without brittle cron-based scripts.

The input sends an HTTP request on a fixed interval, decodes the JSON response, and publishes the resulting fields as events through the configured Filebeat output. Request headers can carry authentication, and response data can be shaped into event fields with standard Filebeat processors.

API rate limits, pagination, and authentication determine whether polling produces complete data or silent gaps, so the request cadence and credentials must match the endpoint’s rules. Any environment variables referenced in the YAML must be available to the filebeat service runtime, and HTTPS should be preferred when tokens or session cookies are involved.

Steps to configure a Filebeat httpjson input:

Open the Filebeat configuration file.
```
$ sudo nano /etc/filebeat/filebeat.yml
```
Append an httpjson input stanza under the existing filebeat.inputs list.
```
filebeat.inputs:
  - type: httpjson
    interval: 1m
    request.url: "http://127.0.0.1:9100/events.json"
    request.headers.Authorization: "Bearer ${EVENTS_API_TOKEN}"
```
If filebeat.inputs already exists, add a new list item under it rather than duplicating the filebeat.inputs key.

Define EVENTS_API_TOKEN for the filebeat service (not only an interactive shell), and avoid hard-coding credentials into /etc/filebeat/filebeat.yml.

Confirm the endpoint returns a successful response with a JSON content type.

$ curl --silent --show-error --location --header "Authorization: Bearer $EVENTS_API_TOKEN" --output /dev/null --write-out "%{http_code} %{content_type}\n" "http://127.0.0.1:9100/events.json"
200 application/json

Test the configuration for errors.
```
$ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK
```
YAML indentation mistakes can prevent Filebeat from starting, even when only a single space is misplaced.

Related: How to test a Filebeat configuration
Restart the Filebeat service.
```
$ sudo systemctl restart filebeat
```
Related: How to manage the Filebeat service with systemctl in Linux

Check the Filebeat service status for an active state.

$ sudo systemctl status filebeat --no-pager --lines=12
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
     Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; preset: enabled)
    Drop-In: /etc/systemd/system/filebeat.service.d
             └─env.conf
     Active: active (running) since Tue 2026-01-06 22:24:40 UTC; 4s ago
   Main PID: 8706 (filebeat)
      Tasks: 10 (limit: 28486)
     Memory: 39.9M (peak: 41.5M)
##### snipped #####

Review Filebeat logs for httpjson requests and published events.

$ sudo journalctl --unit=filebeat --no-pager --lines=30
Jan 06 22:24:40 host filebeat[8706]: {"log.level":"info","@timestamp":"2026-01-06T22:24:40.190Z","log.logger":"input.httpjson-stateless","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/v2/compat.(*runner).Start.func1","file.name":"compat/compat.go","file.line":141},"message":"Input 'httpjson-stateless' starting","service.name":"filebeat","id":"7FDF0F6073626C6E","ecs.version":"1.6.0"}
Jan 06 22:24:40 host filebeat[8706]: {"log.level":"info","@timestamp":"2026-01-06T22:24:40.190Z","log.logger":"input.httpjson-stateless","log.origin":{"function":"github.com/elastic/beats/v7/x-pack/filebeat/input/httpjson.run.func1","file.name":"httpjson/input.go","file.line":239},"message":"Process another repeated request.","service.name":"filebeat","id":"7FDF0F6073626C6E","input_url":"http://127.0.0.1:9100/events.json","ecs.version":"1.6.0"}
Jan 06 22:24:40 host filebeat[8706]: {"log.level":"info","@timestamp":"2026-01-06T22:24:40.191Z","log.logger":"input.httpjson-stateless","log.origin":{"function":"github.com/elastic/beats/v7/x-pack/filebeat/input/httpjson.(*requester).doRequest","file.name":"httpjson/request.go","file.line":235},"message":"request finished: 2 events published","service.name":"filebeat","id":"7FDF0F6073626C6E","input_url":"http://127.0.0.1:9100/events.json","ecs.version":"1.6.0"}
##### snipped #####

Verbose request/response troubleshooting can expose authentication headers in logs; disable extra logging as soon as the input is healthy.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.