Question

我在logstash中有以下日志：

{
    "message":"{\"name\":\"myapp\",\"hostname\":\"sensu-node-dev\",\"pid\":749,\"level\":50,\"err\":{\"message\":\"Cannot find module 'lol'\",\"name\":\"Error\",\"stack\":\"Error: Cannot find module 'lol'\\n    at Function.Module._resolveFilename (module.js:339:15)\\n    at Function.Module._load (module.js:290:25)\\n    at Module.require (module.js:367:17)\\n    at require (internal/module.js:16:19)\\n    at Object.<anonymous> (/srv/www/dev.site/app.js:27:6)\\n    at next (native)\\n    at Object.<anonymous> (/srv/www/dev.site/node_modules/koa-compose/index.js:29:5)\\n    at next (native)\\n    at onFulfilled (/srv/www/dev.site/node_modules/co/index.js:65:19)\\n    at /srv/www/dev.site/node_modules/co/index.js:54:5\",\"code\":\"MODULE_NOT_FOUND\"},\"msg\":\"Cannot find module 'lol'\",\"time\":\"2016-02-26T15:59:25.688Z\",\"v\":0}",
    "@version":"1",
    "@timestamp":"2016-02-26T15:59:35.317Z",
    "beat":{"hostname":"sensu-node-dev","name":"sensu-node-dev"},
    "count":1,
    "fields":null,
    "input_type":"log",
    "offset":83219,
    "source":"/var/log/bunyan/myapp-info.log",
    "type":"log",
    "host":"sensu-node-dev",
    "tags":["beats_input_codec_plain_applied","error"],
    "name":"myapp",
    "hostname":"sensu-node-dev",
    "pid":749,
    "level":50,
    "err":{"message":"Cannot find module 'lol'","name":"Error","stack":"Error: Cannot find module 'lol'\n    at Function.Module._resolveFilename (module.js:339:15)\n    at Function.Module._load (module.js:290:25)\n    at Module.require (module.js:367:17)\n    at require (internal/module.js:16:19)\n    at Object.<anonymous> (/srv/www/dev.site/app.js:27:6)\n    at next (native)\n    at Object.<anonymous> (/srv/www/dev.site/node_modules/koa-compose/index.js:29:5)\n    at next (native)\n    at onFulfilled (/srv/www/dev.site/node_modules/co/index.js:65:19)\n    at /srv/www/dev.site/node_modules/co/index.js:54:5","code":"MODULE_NOT_FOUND"},
    "msg":"Cannot find module 'lol'",
    "time":"2016-02-26T15:59:25.688Z",
    "v":0
}

我想logstash输出以下内容：

{
    title: "error message from host sensu-node-dev",
    text:"{\"name\":\"myapp\",\"hostname\":\"sensu-node-dev\",\"pid\":749,\"level\":50,\"err\":{\"message\":\"Cannot find module 'lol'\",\"name\":\"Error\",\"stack\":\"Error: Cannot find module 'lol'\\n    at Function.Module._resolveFilename (module.js:339:15)\\n    at Function.Module._load (module.js:290:25)\\n    at Module.require (module.js:367:17)\\n    at require (internal/module.js:16:19)\\n    at Object.<anonymous> (/srv/www/dev.site/app.js:27:6)\\n    at next (native)\\n    at Object.<anonymous> (/srv/www/dev.site/node_modules/koa-compose/index.js:29:5)\\n    at next (native)\\n    at onFulfilled (/srv/www/dev.site/node_modules/co/index.js:65:19)\\n    at /srv/www/dev.site/node_modules/co/index.js:54:5\",\"code\":\"MODULE_NOT_FOUND\"},\"msg\":\"Cannot find module 'lol'\",\"time\":\"2016-02-26T15:59:25.688Z\",\"v\":0}"
}

sensu-node-dev取自原始日志中的host字段。 text字段包含原始日志中message字段的内容。感觉这应该是一项微不足道的任务。

我一直在看grok，它根本不是初学友好的！我不确定这是应该在我的logstash .conf文件的过滤器还是输出中完成的？

Answer 1

即使使用其他字段中的值，您也可以创建一个新字段：

mutate {
    add_field => { "title" => "error message from host %{host}" }
}

您可以重命名其他字段以将它们放在您想要的位置：

mutate {
    rename => { "name" => "[text][name]" }
}

如果您不想要剩余的字段，可以使用mutate-＆gt; remove_field。

Logstash / Grok复制消息和其他字段以创建新的输出格式

1 个答案: