我需要有关logstash过滤器的帮助,以将json键/值提取到new_field。以下是我的logstash conf。
input {
tcp {
port => 5044
}
}
filter {
json {
source => "message"
add_field => {
"data" => "%{[message][data]}"
}
}
}
output {
stdout { codec => rubydebug }
}
我尝试了mutate:
filter {
json {
source => "message"
}
mutate {
add_field => {
"data" => "%{[message][data]}"
}
}
}
我尝试了。而不是[]:
filter {
json {
source => "message"
}
mutate {
add_field => {
"data" => "%{message.data}"
}
}
}
我尝试使用索引号:
filter {
json {
source => "message"
}
mutate {
add_field => {
"data" => "%{[message][0]}"
}
}
}
一切都没有运气。 :(
以下json发送到端口5044:
{"data": "blablabla"}
问题在于新字段无法从json的键中提取值。
“数据” =>“%{[消息] [数据]}”
以下是我的标准配置:
{
"@version" => "1",
"host" => "localhost",
"type" => "logstash",
"data" => "%{[message][data]}",
"path" => "/path/from/my/app",
"@timestamp" => 2019-01-11T20:39:10.845Z,
"message" => "{\"data\": \"blablabla\"}"
}
但是,如果我使用“ data” =>“%{[message]}” ,则代替:
filter {
json {
source => "message"
add_field => {
"data" => "%{[message]}"
}
}
}
我将从stdout获取整个json。
{
"@version" => "1",
"host" => "localhost",
"type" => "logstash",
"data" => "{\"data\": \"blablabla\"}",
"path" => "/path/from/my/app",
"@timestamp" => 2019-01-11T20:39:10.845Z,
"message" => "{\"data\": \"blablabla\"}"
}
谁能告诉我我做错了什么。
谢谢你
我使用docker-elk堆栈ELK_VERSION = 6.5.4
答案 0 :(得分:1)
add_field用于在过滤器成功运行时添加自定义逻辑,许多过滤器都具有此选项。如果要将json解析为字段,则应使用target:
filter {
json {
source => "message"
target => "data" // parse into data field
}
}