我有以下格式的JSON数据,我发送到logstash实例 在http端点上监听
{
client: "c",
pageInfo: ["a","b","c"],
restInfo: ["r","s","t"]
}
我的目标是将此输入作为同一索引中的两种不同类型发送到elasticsearch端点;例如
PUT elasticsearchhost:port/myindex/pageInfo
{ client: "c", pageInfo: ["a","b","c"] }
PUT elasticsearchhost:port/myindex/restInfo
{ client: "c", restInfo: ["r","s","t"] }
我在logstash(split,mutate,grok)中尝试过一些过滤器,但我无法理解如何执行这个非常具体的拆分,或者如果我还要在输出部分修改我的配置< / p>
答案 0 :(得分:1)
您需要使用clone克隆事件,然后修改克隆。
例如:
filter {
clone { clones => ["pageInfo", "restInfo" ] }
if [type]=="pageInfo" {
mutate {
remove_field => "restInfo"
}
}
if [type] == "restInfo" {
mutate {
remove_field => "pageInfo"
}
}
}
然后在elasticsearch输出中,请确保包含document_type => "%{type}"