我试图解析来自第三方应用程序的日志(无法更改),以便将其发送到Elastic。这是日志结构的伪代码:
{
"field": "value",
"otherField" : "{\field\": {\"innerfield\":123123}}\r",
(...)
}
在此documentation之后,并尝试使用此plugin和许多其他解决方案之后,我将其堆叠了起来。
我的目标是采用以下形式:
{
"field": "value",
"otherField" : {
"field": {
"innerfield":123123
}
}",
(...)
}
答案 0 :(得分:0)
尝试以下操作:
<source>
@type dummy
tag dummy
dummy [
{"name": "value", "json": "{\"foo\": \"bar\", \"baz\": 1}"},
{"name": "value", "json": "{\"foo\": \"bar\", \"baz\": 2}"},
{"name": "value", "json": "{\"foo\": \"bar\", \"baz\": 3}"},
{"name": "value", "json": "{\"foo\": \"bar\", \"baz\": 4}"},
{"name": "value", "json": "{\"foo\": \"bar\", \"baz\": 5}"}
]
</source>
<filter dummy>
@type parser
key_name json
reserve_data true
remove_key_name_field true
hash_value_field parsed
<parse>
@type json
</parse>
</filter>
<match dummy>
@type stdout
</match>
结果:
2019-04-09 12:19:35.042904619 +0900 dummy: {"name":"value","parsed":{"foo":"bar","baz":1}}
2019-04-09 12:19:36.044483191 +0900 dummy: {"name":"value","parsed":{"foo":"bar","baz":2}}
2019-04-09 12:19:37.046293186 +0900 dummy: {"name":"value","parsed":{"foo":"bar","baz":3}}
2019-04-09 12:19:38.048007580 +0900 dummy: {"name":"value","parsed":{"foo":"bar","baz":4}}
查看最新文档:https://docs.fluentd.org/v1.0/articles/filter_parser#reserve_time