Question

我有通过logstash转换价值的问题，我无法找到它的解决方案。它似乎与日期有关。

#Log line
[2017-08-15 12:30:17] api.INFO: {"sessionId":"a216925---ff5992be7520924ff25992be75209c7","action":"processed","time":1502789417,"type":"bookingProcess","page":"order"} [] []

Logstash配置

filter {
        if [type] == "api-prod-log" {
                grok {
                        match => {"message" => "\[%{TIMESTAMP_ISO8601:timestamp}\] %{WORD:module}.%{WORD:level}: (?<log_message>.*) \[\] \[\]" }
                        add_field => [ "received_from", "%{host}" ]
                }
                json {
                    source => "log_message"
                    target => "flightSearchRequest"
                    remove_field=>["log_message"]
                }
                date {
                        match => [ "timestamp", "YYYY-MM-dd HH:mm:ss" ]
                        timezone => "Asia/Jerusalem"
                }
        }
}

有什么想法吗？

由于

Answer 1

您使用的是什么版本的Logstash？在Logstash 5.2.2上使用以下Logstash配置：

type = "world"
world_arr = []
town_arr = []

#add to an array
[type + '_arr'].append('test') <-- how?

当我将日志行作为输入传递时，我得到了完全正确的结果并且没有错误：

input {
    stdin{}
}

filter {
    grok {
        match => {"message" => '\[%{TIMESTAMP_ISO8601:timestamp}\] %{WORD:module}.%{WORD:level}: (?<log_message>.*) \[\] \[\]' }
    }
    json {
        source => "log_message"
        target => "flightSearchRequest"
        remove_field=>["log_message"]
    }
    date {
        match => [ "timestamp", "YYYY-MM-dd HH:mm:ss" ]
        timezone => "Asia/Jerusalem"
    }
}

output{
    stdout {codec => "rubydebug"}
}

我在开头删除了“类型”检查，你能测试一下是否会影响结果吗？

使用json_formater的Logstash问题[LogStash :: Json :: ParserError：意外的字符（＆＃39; - ＆＃39;（代码45））：期待逗号分隔ARRAY条目]

1 个答案: