Logstash将JSON解析为单个事件

时间:2016-05-19 13:41:11

标签: logstash logstash-grok

我正在尝试一个HTTP Poller,它以下面的格式返回响应(这是一行JSON)。 

{"total":3,"offset":1,"len":50,"workflows":[
{"appName":"test1","createdTime":"Wed, 11 May 2016 13:30:28  GMT","startTime":"Wed, 11 May 2016 13:30:28 GMT","endTime":"Wed, 11 May 2016 13:31:06 GMT","status":"SUCCEEDED"},
{"appName":"test2","createdTime":"Wed, 11 May 2016 13:30:28 GMT","startTime":"Wed, 11 May 2016 13:30:28 GMT","endTime":"Wed, 11 May 2016 13:31:06 GMT","status":"SUCCEEDED"},
{"appName":"test3","createdTime":"Wed, 11 May 2016 13:30:28 GMT","startTime":"Wed, 11 May 2016 13:30:28 GMT","endTime":"Wed, 11 May 2016 13:31:06 GMT","status":"SUCCEEDED"}
]
}

对我的要求是将每个工作流项(数组元素)存储为弹性搜索中的单独事件。具体来说,我想为每条记录提取appName,createdTime,Status并将此单个事件传递给ElasticSearch输出插件。

你能帮忙解决这个问题吗?

logstash配置文件如下所示

input {
  http_poller 
  {
    urls => 
    {
      mycall => 
      {
        method => "GET"
        url => "http://myip/url"            
      }
    }
    tags => 'data'
    request_timeout =>60
    interval => 1200
    codec => "json"
    metadata_target => "http_poller_metadata"
  }


  }

output {    
stdout  
{   

 codec => rubydebug }
}

1 个答案:

答案 0 :(得分:1)

使用split filter您可以拆分mutate,您可以提取字段:

CONF:

warning

结果:

split {
    field => "workflows"
    terminator => ","
    }
mutate {
   rename => {
    "[workflows][appName]" => "appName"
    "[workflows][createdTime]" => "createdTime"
    "[workflows][startTime]" => "startTime"
    "[workflows][endTime]" => "endTime"
    "[workflows][status]" => "status"
   }
   remove_field => ["workflows", "total", "offset", "len"]
}
相关问题
最新问题