我正在创建一个应用程序,需要借助logstash配置从日志中的json对象检索键值对。
这是我的配置:
input{
file{
path => "D:\ELK_Info\TestLogs_Updated_tablev4.log"
start_position => beginning
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601}"
negate => true
what => "previous"
}
}
}
filter{
grok{
match => {
"message" => "%{IP:client_ip}%{NOTSPACE:space}%{GREEDYDATA:json_data}"
}
}
#mutate { remove_field => [ "tags"]}
json { source => "json_data" target => "parsedJson" remove_field=>["json_data"]}
mutate {
add_field => {
"AssetManagerId" => "%{[parsedJson][AssetManagerId]}"
"Amount" => "%{[parsedJson][Amount]}"
"AccountId" => "%{[parsedJson][AccountId]}"
"RequestCode" => "%{[parsedJson][RequestCode]}"
"TicketNumber" => "%{[parsedJson][TicketNumber]}"
"Status" => "%{[parsedJson][Status]}"
"message" => ["%{[parsedJson][message]}"]
}
}
}
output {
file{
path => "D:\ELK_Info\logstashOutput.log"
}
}
以下是日志:
Sep 28 15:09:50 52.231.153.246 gateway: [6] INFO AppLog - 180 - XXXGatewayAPI.APIHandlers - UpdateDepositTicket called by xyzadmin from 211.211.211.211: {"AssetManagerId":211,"AccountId":211,"AssetId":211,"AssetName":" ","Amount":"211","RequestCode":"211-211-211-211-211","RequestIP":"211.211.211.211","RequestUser":211,"RequestUserName":"211@211.com","OperatorId":211,"Status":"Accepted","FeeAmt":0,"UpdatedByUser":211,"UpdatedByUserName":"211","TicketNumber":211,"DepositInfo":"{\"Full Name\":\"211\",\"language\":\"kr\",\"Comments\":\"\"}","CreatedTimestamp":"2018-09-27T11:02:22Z","LastUpdateTimeStamp":"211-09-211:09:48.203Z","Comments":[],"Attachments":null,"type":"deposit"}
在当前配置下,我得到的键值对为:
"Status" : "%{[parsedJson][Status]}"
而我需要json中键'Status'的确切值,而不是“%{[parsedJson] [Status]}”的位置。
要获得所需的输出,我需要进行哪些更改?