我遇到了logstash 5.2.2过滤器的问题。我需要将字符串转换为整数并且它失败了。我采取的方法可能并不理想。这是问题陈述: JMX MBean值报告" metric_value_string" as" XX.X秒"。我希望能够将此值用作可视化中Kibana聚合的数字。
我尝试了什么:
说明: 源字段是" metric_value_string"。一个字符串。值看起来像" 26.0秒"。 期望的目的地字段是" time_in_seconds"。整数。
我尝试创建一个脚本字段。简单(无痛)转换" metric_value_string"对于在Kibana发现结果中看起来像数字的数字,可以在可视化中作为数字聚合。运行可视化时,会发生错误。它是一个强制转换异常,它显示来自" metric_value_string"的值,而不是我转换的" time_in_seconds"。这是Kibana 5.2.2。 IDK,如果这是一个错误,所以我尝试了另一种方法。
我尝试在logstash过滤器中创建并转换字段。
我尝试过这两种方法:
filter {
if "TimeSince" in [metric_path] or "Delay" in [metric_path] {
mutate { add_field => { "time_in_seconds" => "%{metric_value_string}"} }
mutate { gsub => ["time_in_seconds", ".0 secs", ""] }
mutate { convert => { "time_in_seconds", "integer" } }
}
}
和
filter {
if "TimeSince" in [metric_path] or "Delay" in [metric_path] {
ruby {
code =>
"event.set('time_in_seconds', event.get('metric_value_string'))"
}
mutate { gsub => ["time_in_seconds", ".0 secs", ""] }
mutate { convert => { "time_in_seconds", "integer" } }
}
}
有条件的东西还可以。当我注释掉
时mutate { convert => { "time_in_seconds", "integer" } }
代码,它在输出中看起来像预期的那样并且不会失败。
我不确定导致失败的是什么。该错误表示它是一个语法错误,但如果我只是注释掉转换行,则一切正常。作为一个完整性检查,我在gsub行之后添加了更多代码,以确保该代码没有问题。
这是来自logstash的STDOUT:
C:\Elastic\logstash-5.2.2\bin>cls
C:\Elastic\logstash-5.2.2\bin>logstash -f config/logstash.conf --config.reload.automatic
JAVA_OPTS was set to [ -Dlog4j.configurationFile=C:\Elastic\logstash-5.2.2\config\log4j2.properties -Xmx1g -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:+CMSParallelRemarkEnabled -XX:SurvivorRatio=8 -XX:MaxTenuringThreshold=1 -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath="C:\Elastic\logstash-5.2.2/heapdump.hprof"]. Logstash will trust these options, and not set any defaults that it might usually set
[2017-09-14T14:14:14,056][ERROR][logstash.agent ] Cannot load an invalid configuration {:reason=>"Expected one of #, => at line 14, column 42 (byte 355) after filter {\n\tif \"TimeSince\" in [metric_path] or \"Delay\" in [metric_path] {\n\t\tmutate { add_field => { \"time_in_seconds\" => \"%{metric_value_string}\"} }\n\t\tmutate { gsub => [\"time_in_seconds\", \".0 secs\", \"\"] }\n\t\tmutate { convert => { \"time_in_seconds\""}
这里是上述错误的配置文件内容:
input {
jmx {
path => "plugins/jmx"
polling_frequency => 60
type => "jmx"
nb_thread => 4
}
}
filter {
if "TimeSince" in [metric_path] or "Delay" in [metric_path] {
mutate { add_field => { "time_in_seconds" => "%{metric_value_string}"} }
mutate { gsub => ["time_in_seconds", ".0 secs", ""] }
mutate { convert => { "time_in_seconds", "integer" } }
}
}
output {
stdout { codec => rubydebug }
}
如果我注释掉转换行没有问题..
我是以错误的方式来做这件事的吗?我是这个堆栈的新手。如果这是C#/ SQL,我只需要替换+ cast / convert。我在错误的地方做这件事吗?
编辑:
当我注释掉转换线以便您可以看到实际数据时,这是STDOUT:
C:\Elastic\logstash-5.2.2\bin>cls
C:\Elastic\logstash-5.2.2\bin>logstash -f config/logstash.conf --config.reload.automatic
JAVA_OPTS was set to [ -Dlog4j.configurationFile=C:\Elastic\logstash-5.2.2\config\log4j2.properties -Xmx1g -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:+CMSParallelRemarkEnabled -XX:SurvivorRatio=8 -XX:MaxTenuringThreshold=1 -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath="C:\Elastic\logstash-5.2.2/heapdump.hprof"]. Logstash will trust these options, and not set any defaults that it might usually set
[2017-09-14T14:23:13,456][INFO ][logstash.pipeline ] Starting pipeline {"id"=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>500}
[2017-09-14T14:23:13,568][INFO ][logstash.inputs.jmx ] Create queue dispatching JMX requests to threads
[2017-09-14T14:23:13,573][INFO ][logstash.inputs.jmx ] Compile regexp for group alias object replacement
[2017-09-14T14:23:13,574][INFO ][logstash.pipeline ] Pipeline main started
[2017-09-14T14:23:13,576][INFO ][logstash.inputs.jmx ] Initialize 4 threads for JMX metrics collection
[2017-09-14T14:23:13,648][INFO ][logstash.inputs.jmx ] Loading configuration files in path {:path=>"plugins/jmx"}
[2017-09-14T14:23:13,743][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
{
"path" => "plugins/jmx",
"environment" => "TEST",
"@timestamp" => 2017-09-14T18:23:14.154Z,
"@version" => "1",
"host" => "MY HOST",
"metric_path" => "xxStatus",
"type" => "jmx",
"metric_value_string" => "idle"
}
{
"path" => "plugins/jmx",
"time_in_seconds" => "191",
"environment" => "TEST",
"@timestamp" => 2017-09-14T18:23:14.200Z,
"@version" => "1",
"host" => "MY HOST",
"metric_path" => "xxTimeSincexx",
"type" => "jmx",
"metric_value_string" => "191.0 secs"
}
答案 0 :(得分:0)
这是CONVERT上的错误语法。
filter {
if "TimeSince" in [metric_path] or "Delay" in [metric_path] {
mutate { add_field => { "time_in_seconds" => "%{metric_value_string}"} }
mutate { gsub => ["time_in_seconds", ".0 secs", ""] }
mutate { convert => ["time_in_seconds", "integer"] }
}
}
应该是
filter {
if "TimeSince" in [metric_path] or "Delay" in [metric_path] {
mutate { add_field => { "time_in_seconds" => "%{metric_value_string}"} }
mutate { gsub => ["time_in_seconds", ".0 secs", ""] }
mutate { convert => ["time_in_seconds", "integer"] }
}
}
@ https://discuss.elastic.co/t/solved-the-filter-plugin-mutate-convert-doesnt-work-in-5-0/65496/3
显示了一个正确的示例