我使用以下过滤器配置:
filter {
if [type] == "client-log" {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
urldecode{
field => "request"
}
mutate {
gsub => [ "request", '/log/', '' ]
}
json {
source => "request"
}
}
}
当请求只是一个级别的json对象时,它工作正常。如果它得到更多,那么Logstash正在获得解析错误。有什么建议吗?
请求示例:
{
session_id: "123",
message: {
id: 1221
//....
}
//....
}
错误:
{:timestamp=>"2016-09-07T15:53:34.712000+0100", :message=>"Error parsing json", :source=>"request", :raw=>"{\"session_id\":\"8d078da0-74f9-11e6-8d31-6925e76dde0e\",\"level\":\"Debug\",\"methodName\":\"fetchExternalData\",\"class\":\"fetchExternalData\",\"lineNumber\":78,\"message\":\"{\"0\":\"fetchExternalData doFetch assets \",\"1\":\"http://lab6services:8080/alerts\",\"2\":{\"method\":\"post\",\"headers\":{},\"body\":\"{\\\"results\\\":{\\\"types\\\":[\\\"alerts\\\"],\\\"format\\\":\\\"table\\\"},\\\"filter\\\":{\\\"title\\\":\\\"new alerts\\\",\\\"filterType\\\":\\\"PROPERTY\\\",\\\"operator\\\":\\\"range\\\",\\\"field\\\":\\\"createdAt\\\",\\\"type\\\":\\\"alert\\\",\\\"values\\\":[{\\\"value\\\":\\\"07/09/2016 15:49:44\\\"},{\\\"value\\\":\\\"07/09/2016 15:51:44\\\"}]},\\\"aggregate\\\":null}\"}}\",\"version\":\"1.2.0\",\"user\":\"user\",\"timestamp\":\"2016-09-07T12:51:44.953Z\"}", :exception=>#<LogStash::Json::ParserError: Unexpected character ('0' (code 48)): was expecting comma to separate OBJECT entries
at [Source: [B@51b925ff; line: 1, column: 161]>, :level=>:warn}
日志行:
127.8.4.1 - - [07/Sep/2016:15:54:07 +0100] "GET /log/%7B%22session_id%22:%228d078da0-74f9-11e6-8d31-6925e76dde0e%22,%22level%22:%22Debug%22,%22methodName%22:%22fetchExternalData%22,%22class%22:%22fetchExternalData%22,%22lineNumber%22:78,%22message%22:%22%7B%220%22:%22fetchExternalData%20doFetch%20assets%20%22,%221%22:%22http://lab6services:8080/alerts%22,%222%22:%7B%22method%22:%22post%22,%22headers%22:%7B%7D,%22body%22:%22%7B%5C%22results%5C%22:%7B%5C%22types%5C%22:%5B%5C%22alerts%5C%22%5D,%5C%22format%5C%22:%5C%22table%5C%22%7D,%5C%22filter%5C%22:%7B%5C%22title%5C%22:%5C%22new%20alerts%5C%22,%5C%22filterType%5C%22:%5C%22PROPERTY%5C%22,%5C%22operator%5C%22:%5C%22range%5C%22,%5C%22field%5C%22:%5C%22createdAt%5C%22,%5C%22type%5C%22:%5C%22alert%5C%22,%5C%22values%5C%22:%5B%7B%5C%22value%5C%22:%5C%2207/09/2016%2015:49:44%5C%22%7D,%7B%5C%22value%5C%22:%5C%2207/09/2016%2015:52:22%5C%22%7D%5D%7D,%5C%22aggregate%5C%22:null%7D%22%7D%7D%22,%22version%22:%221.2.0%22,%22user%22:%22user%22,%22timestamp%22:%222016-09-07T12:52:22.928Z%22%7D HTTP/1.1" 200 0 "http://localhost:3000/main.worker.js" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
---编辑---
我只想解析第一级&res 39; resquest&#39;。如何防止过滤器解析任何嵌套的json元素?