filebeat to logstash用多行读取json文件

时间:2018-03-13 01:02:49

标签: logstash filebeat

尝试解析此多行JSON文件

{
"eventSource" : { "objectName": "SYSTEM.ADMIN.CHANNEL.EVENT",
                   "objectType" : "Queue" },
"eventType" : {
   "name" : "Channel Event",
   "value" : 46
 },
"eventReason" : {
   "name" : "Channel Blocked",
   "value" : 2577
 },
"eventCreation" : {
   "timeStamp"  : "2018/03/07 05:50:19.06 GMT",
   "epoch"      : 1520401819
 },
"eventData" : {
 "queueMgrName" : "QMG1",
 "connectionName" : "localhost (192.168.10.1)",
 "connectionNameList" : [
    "localhost"
   ],
 "reasonQualifier" : "Channel Blocked Noaccess",
 "channelName" : "SVR.TEST",
 "clientUserId" : "test1",
 "applName" : "WebSphere MQ Client for Java",
 "applType" : "Java"
}
}

filebeat配置为

filebeat.prospectors:
- type: log
  paths:
    - /var/log/test2.log
  fields:
    tags: ['json']
    logsource: mqjson
  fields_under_root: true

输入beats conf如下。

input {
  beats {
    port => 5400
    host => "192.168.205.11"
    ssl => false
    #ssl_certificate => "/etc/pki/tls/certs/logstash-beats.crt"
    #ssl_key => "/etc/pki/tls/private/logstash-beats.key"
  }
}

filter {
  if [tags][json] {
    json {
      source => "message"
    }   
  }   
}

弹性每条线都是记录。

问题:

  1. 如何解析此多行json

  2. 还可以选择提取某些键,例如eventData部分。

1 个答案:

答案 0 :(得分:0)

通过添加如下转换json。在弹性中打开了一个问题,在6.0中进行了修正

processors:
 - decode_json_fields:
    fields: ['message']
    target: json