我正在阅读Logstash中的JSON文档并尝试从中提取一些信息。文档输出如下所示:
{
"@source_host" => "www23",
"@tags" => [
[0] "apache-access",
[1] "json",
[2] "web"
],
"@fields" => {
"line" => "10.162.2.345 10.162.2.57 - - [05/Feb/2014:08:44:25 -0700] \"GET /test.html HTTP/1.1\" 200 44",
"timestamp" => "2014-02-05T08:44:25-0700",
"clientip" => "10.162.1.47",
"datacenter" => "PN",
"duration" => 461,
"forwardedfor" => "-",
"response" => 200,
"urlpath" => "/test.html",
"urlquery" => "",
"method" => "GET",
"bytes" => "44",
"role" => "web",
"agent" => "-",
"phpmemory" => "-",
"request" => "/test.html",
"via" => "-",
"vhost" => "10.162.2.134",
"referrer" => "-"
},
"@version" => "1",
"@timestamp" => "2014-02-05T08:44:25.710-07:00",
"type" => "json",
"host" => "10.162.2.134"
}
我正在使用此代码过滤它:
# BEGIN JSON filters
if [type] == "json" {
mutate {
convert => [ "phpmemory", "integer" ]
convert => [ "bytes", "integer" ]
convert => [ "response", "integer" ]
replace => [ "@message", "%{line}" ]
replace => [ "@clientip", "%{clientip}" ]
replace => [ "rs_duration", "%{duration}" ]
replace => [ "rs_bytes", "%{bytes}" ]
replace => [ "cs_uri", "%{urlpath}" ]
replace => [ "query", "%{urlquery}" ]
replace => [ "_type", "%{role}" ]
remove => [ "line" ]
remove => [ "clientip" ]
remove => [ "duration" ]
remove => [ "bytes" ]
remove => [ "urlpath " ]
remove => [ "urlquery" ]
remove => [ "role" ]
}
grok {
forwardedfor => "(?:-|.*%{IP:realip})"
named_captures_only => true
}
geoip {
field => "realip"
database => "/home/logstash/GeoLiteCity.dat"
add_tag => "geoip"
}
mutate {
tags => "geoip"
add_field => [ "country", "%{geoip.country_code2}" ]
add_field => [ "region", "%{geoip.region_name}" ]
}
# END JSON Filters
}
当我读入JSON文档时,它将整个文档显示为调试信息,并且根本不会进入Elasticsearch。 有谁知道是什么原因引起的? 提前致谢, 科尔