如何使用logstash索引json文件?

时间:2017-09-15 13:52:10

标签: elasticsearch logstash elastic-stack logstash-grok logstash-configuration

我尝试将索引作为我的json文件,如下所示。我必须写一个grok表达式。但我不能这样做?你能救我吗?



 
{"level":"Information","ClientIP":"10.201.21.188","Test":"10.210.21.188"}
{"level":"Information","ClientIP":"10.202.21.187","Test":"10.220.21.188"}
{"level":"Information","ClientIP":"10.203.21.186","Test":"10.230.21.188"}
{"level":"Information","ClientIP":"10.204.21.185","Test":"10.240.21.188"}




我的logstash.conf如下:



 
input {
  file {
    type => "json"
    path => ["C:/logs/test-20170933.json"]
    start_position => "beginning"
  }
}
filter {
  grok { 
         match => [ "message","%{WORD:level}   I HAVE TO WRITE OTHER ELEMENTS  BUT HOW????"]
  }
  json {
          source => "message"
       }
}
output {
	 stdout {
    codec => rubydebug
    }
    elasticsearch {
        hosts => [ "localhost:9200" ]
        index => "logstash-%{+YYYY.MM.dd}"
    }
}




我想我们需要grok表达才能实现。此外,我愿意接受新的创意解决方案。

1 个答案:

答案 0 :(得分:2)

你不需要任何东西,你的file输入只需要一个JSON编解码器就可以了:

input {
  file {
    type => "json"
    path => ["C:/logs/test-20170933.json"]
    start_position => "beginning"
    codec => "json"                  <-- add this
  }
}
filter {
}
output {
    stdout {
        codec => rubydebug
    }
    elasticsearch {
        hosts => [ "localhost:9200" ]
        index => "logstash-%{+YYYY.MM.dd}"
    }
}
相关问题
最新问题