logstash提取并将嵌套字段移动到新的父字段中

时间:2018-05-09 11:08:47

标签: elasticsearch logstash logstash-grok

如果在我的日志中打印给定点的纬度和经度,我如何捕获此信息以便在弹性搜索中将其作为地理空间数据处理?

下面我将展示Elasticsearch中与日志行对应的文档示例:

{
  "_index": "memo-logstash-2018.05",
  "_type": "doc",
  "_id": "DDCARGMBfvaBflicTW4-",
  "_version": 1,
  "_score": null,
  "_source": {
    "type": "elktest",
    "message": "LON: 12.5, LAT: 42",
    "@timestamp": "2018-05-09T10:44:09.046Z",
    "host": "f6f9fd66cd6c",
    "path": "/usr/share/logstash/logs/docker-elk-master.log",
    "@version": "1"
  },
  "fields": {
    "@timestamp": [
      "2018-05-09T10:44:09.046Z"
    ]
  },
  "highlight": {
    "type": [
      "@kibana-highlighted-field@elktest@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1525862649046
  ]
}

1 个答案:

答案 0 :(得分:0)

您可以先将LONLAT分隔到自己的字段中,如下所示,

grok {
  match => {"message" => "LON: %{NUMBER:LON}, LAT: %{NUMBER:LAT}"}
}

一旦它们分开,你可以使用mutate过滤器在它们周围创建一个父字段,如下所示,

filter {
  mutate {
    rename => { "LON" => "[location][LON]" }
    rename => { "LAT" => "[location][LAT]" }
  }
}

请告诉我这是否有帮助。

相关问题
最新问题