如何使用Ruby代码在Logstsh中动态解析JSON对象

时间:2018-08-25 18:09:37

标签: ruby logstash logstash-grok

我将其作为输入,我需要解析所有键和值并放入一个单独的事件中,您能帮助我如何实现吗,实际上,当我使用下面的ruby代码时,我只是一个键和值

"entities": {
"PROCESS_GROUP_INSTANCE-EA653E6874E21338": "WebSphere AS nzapwa145Cell (nzapwa146 / ePIMS_pwa146)",
"PROCESS_GROUP_INSTANCE-64A2967FB7FC0C5B": "WebSphere AS ndmProd (nzapwa127 / ePIMS_Report_pwa127)",
"PROCESS_GROUP_INSTANCE-4738C9392BDBC296": "EPS Store - 900008014",
"PROCESS_GROUP_INSTANCE-BA196B9B53FF6323": "EPS Store - 900008040",
"PROCESS_GROUP_INSTANCE-D5D2DAB06C8FDAAF": "ws-server.jar prod-sj-userprofile-adapter-service- - -*",
"PROCESS_GROUP_INSTANCE-3EABAD79933CE911": "/apps/conf/httpd-p2_cdis.conf - KPATHS",
}

代码:

ruby {
code => '
event.get("[result][entities]").each { |key, value|
event.set("hostId", key)
event.set("serverName", value)
}
'
}

上述代码的输出:

{"serverName":"/apps/conf/httpd-p2_cdis.conf - KPATHS)","@timestamp":"2018-08-25T15:17:11.762Z","hostId":"PROCESS_GROUP_INSTANCE-3EABAD79933CE911"}

但是所需的输出将是这样的:

{"serverName":"WebSphere AS nzapwa145Cell (nzapwa146 / ePIMS_pwa146)","@timestamp":"2018-08-25T15:17:11.762Z","hostId":"PROCESS_GROUP_INSTANCE-EA653E6874E21338"}
{"serverName":"WebSphere AS ndmProd (nzapwa127 / ePIMS_Report_pwa127)","@timestamp":"2018-08-25T15:17:11.762Z","hostId":"PROCESS_GROUP_INSTANCE-64A2967FB7FC0C5B"}
{"serverName":"EPS Store - 900008014","@timestamp":"2018-08-25T15:17:11.762Z","hostId":"PROCESS_GROUP_INSTANCE-4738C9392BDBC296"}
{"serverName":"ws-server.jar prod-sj-userprofile-adapter-service- - -*","@timestamp":"2018-08-25T15:17:11.762Z","hostId":"PROCESS_GROUP_INSTANCE-BA196B9B53FF6323"}
{"serverName":"/apps/conf/httpd-p2_cdis.conf - KPATHS","@timestamp":"2018-08-25T15:17:11.762Z","hostId":"PROCESS_GROUP_INSTANCE-D5D2DAB06C8FDAAF"}
{"serverName":"/apps/conf/httpd-p2_cdis.conf - KPATHS)","@timestamp":"2018-08-25T15:17:11.762Z","hostId":"PROCESS_GROUP_INSTANCE-3EABAD79933CE911"}

您能帮助我获得解决方案吗,我遇到了红宝石代码的问题。

1 个答案:

答案 0 :(得分:0)

我不是Logstash专家,但是我认为您的Ruby过滤器会在遍历所有给定的键值对时多次覆盖(设置)值hostIdserverName。这样就剩下了上次迭代中设置的值。毕竟,只有一个事件,因此您的键必须是唯一的。要解决此问题,您需要扩展事件的键字段,方法是将其嵌套在树形结构中或创建唯一的键字符串。

在这里,hostId是唯一键:

ruby {
code => '
event.get("[result][entities]").each do |key, value|
  event.set(key, value)
end
'
}

这里添加了附加索引以确保唯一键:

ruby {
code => '
idx = 0
event.get("[result][entities]").each do |key, value|
  event.set("[#{idx}][hostId]", key)
  event.set("[#{idx}][serverName]", value)
  idx += 1
end
'
}

希望您会有所帮助。