如何使用 json 过滤器将我的 json 日志文件存储到 logstash
how to store my json log file to logstash with json filter
这是我的 json 日志文件。我正在尝试通过我的 logstash 将文件存储到我的弹性搜索中。
{ "id": "135569", "title" : "Star Trek Beyond", "year":2016 , "genre":
["Action", "Adventure", "Sci-Fi"] }
将数据存储到elasticSearch后,我的结果如下
{
"_index": "filebeat-6.2.4-2018.11.09",
"_type": "doc",
"_id": "n-J39mYB6zb53NvEugMO",
"_score": 1,
"_source": {
"@timestamp": "2018-11-09T03:15:32.262Z",
"source": "/Users/jinwoopark/Jin/json_files/testJson.log",
"offset": 106,
"message": """{ "id": "135569", "title" : "Star Trek Beyond", "year":2016 , "genre":["Action", "Adventure", "Sci-Fi"] }""",
"id": "%{id}",
"@version": "1",
"host": "Jinui-MacBook-Pro.local",
"tags": [
"beats_input_codec_plain_applied"
],
"prospector": {
"type": "log"
},
"title": "%{title}",
"beat": {
"name": "Jinui-MacBook-Pro.local",
"hostname": "Jinui-MacBook-Pro.local",
"version": "6.2.4"
}
}
}
我想做的是,
我只想将 "genre value" 存储到消息字段中,并将其他值(ex id,title)存储到额外的字段(创建的字段,即 id 和 title 字段)中。但是额外的字段存储了空值(%{id},%{title})。看来我需要修改我的 logstash json 过滤器,但在这里我需要你的帮助。
我目前的logstash配置如下
input {
beats {
port => 5044
}
}
filter {
json {
source => "genre" //want to store only genre (from json log) into message field
}
mutate {
add_field => {
"id" => "%{id}" // want to create extra field for id value from log file
"title" => "%{title}" // want to create extra field for title value from log file
}
}
date {
match => [ "timestamp", "dd/MM/yyyy:HH:mm:ss Z" ]
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
stdout {
codec => rubydebug
}
}
当您告诉 json 过滤器 source 是 genre 时,它应该忽略文档的其余部分,这可以解释为什么您没有得到 id 或 title.
似乎您应该解析整个 json 文档,并使用 mutate->replace plugin 将 genre 的内容移动到 message。
这是我的 json 日志文件。我正在尝试通过我的 logstash 将文件存储到我的弹性搜索中。
{ "id": "135569", "title" : "Star Trek Beyond", "year":2016 , "genre":
["Action", "Adventure", "Sci-Fi"] }
将数据存储到elasticSearch后,我的结果如下
{
"_index": "filebeat-6.2.4-2018.11.09",
"_type": "doc",
"_id": "n-J39mYB6zb53NvEugMO",
"_score": 1,
"_source": {
"@timestamp": "2018-11-09T03:15:32.262Z",
"source": "/Users/jinwoopark/Jin/json_files/testJson.log",
"offset": 106,
"message": """{ "id": "135569", "title" : "Star Trek Beyond", "year":2016 , "genre":["Action", "Adventure", "Sci-Fi"] }""",
"id": "%{id}",
"@version": "1",
"host": "Jinui-MacBook-Pro.local",
"tags": [
"beats_input_codec_plain_applied"
],
"prospector": {
"type": "log"
},
"title": "%{title}",
"beat": {
"name": "Jinui-MacBook-Pro.local",
"hostname": "Jinui-MacBook-Pro.local",
"version": "6.2.4"
}
}
}
我想做的是,
我只想将 "genre value" 存储到消息字段中,并将其他值(ex id,title)存储到额外的字段(创建的字段,即 id 和 title 字段)中。但是额外的字段存储了空值(%{id},%{title})。看来我需要修改我的 logstash json 过滤器,但在这里我需要你的帮助。
我目前的logstash配置如下
input {
beats {
port => 5044
}
}
filter {
json {
source => "genre" //want to store only genre (from json log) into message field
}
mutate {
add_field => {
"id" => "%{id}" // want to create extra field for id value from log file
"title" => "%{title}" // want to create extra field for title value from log file
}
}
date {
match => [ "timestamp", "dd/MM/yyyy:HH:mm:ss Z" ]
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
stdout {
codec => rubydebug
}
}
当您告诉 json 过滤器 source 是 genre 时,它应该忽略文档的其余部分,这可以解释为什么您没有得到 id 或 title.
似乎您应该解析整个 json 文档,并使用 mutate->replace plugin 将 genre 的内容移动到 message。