我有很多这样的日志:
uid[118930] pageview h5_act, actTag[cyts] corpId[2] inviteType[0] clientId[3] clientVer[2.3.0] uniqueId[d317de16a78a0089b0d94d684e7a9585565ffa236138c0.85354991] srcId[0] subSrc[]
其中大多数是KEY [VALUE]形式的键值表达式。
我已阅读document,但仍无法弄清楚如何编写配置。
任何帮助将不胜感激!
答案 0 :(得分:0)
您只需使用kv和value_split设置配置trim过滤器,如下所示:
filter {
kv {
value_split => "\["
trim => "\]"
}
}
对于您已提供的示例日志行,您将获得:
{
"message" => "uid[118930] pageview h5_act, actTag[cyts] corpId[2] inviteType[0] clientId[3] clientVer[2.3.0] uniqueId[d317de16a78a0089b0d94d684e7a9585565ffa236138c0.85354991] srcId[0] subSrc[]",
"@version" => "1",
"@timestamp" => "2015-12-12T05:04:00.888Z",
"host" => "iMac.local",
"uid" => "118930",
"actTag" => "cyts",
"corpId" => "2",
"inviteType" => "0",
"clientId" => "3",
"clientVer" => "2.3.0",
"uniqueId" => "d317de16a78a0089b0d94d684e7a9585565ffa236138c0.85354991",
"srcId" => "0",
"subSrc" => ""
}