如何使用jq解析JSON日志文件?

时间:2019-07-23 18:36:08

标签: json filter jq

我在JSON日志文件中有两种类型的日志,我想使用jq过滤器解析和标记每个事件的标签。以下每个事件的示例:

目标是标记每个事件,以便如果消息以TR开头.sourcetype = application_log,否则,如果消息以IP开头.sourcetype = access_log。

到目前为止,我正在使用:test.log jq -r'。[] | select(.log [12:14] ==“ TR”)| .sourcetype =“ application_log” | .sourcetype'

.tooltip {
  position: relative;
  display: inline-block;
}

.tooltip .tooltiptext {
  visibility: hidden;
  width: 200px;
  background-color: black;
  color: #fff;
  text-align: center;
  border-radius: 8px;
  padding: 5px 0;
  position: absolute;
  z-index: 1;
  top: -35px;
  left: -295%;
  opacity: 0;
  transition: opacity 1s;
}

.tooltip .tooltiptext::after {
  content: " ";
  position: absolute;
  top: 50%;
  left: 100%; /* To the right of the tooltip */
  margin-top: -5px;
  border-width: 5px;
  border-style: solid;
  border-color: transparent transparent transparent black;
}
.tooltip:hover .tooltiptext {
  visibility: visible;
  opacity: 1;
}

2 个答案:

答案 0 :(得分:0)

如果我对任务的理解正确,那么解决方法是:

.log[12:14] as $code    
| if ($code == "TR") then .sourcetype = "application_log"
  elif ($code == "IP") then .sourcetype = "access_log"
  else .
  end

如果您希望将.log值作为JSON对象,以便在其中添加.sourcetype,则必须在原始.log值上使用fromjson,如下所示:

.log |= fromjson
| .message[0:2] as $code    
| if ($code == "TR") then .log.sourcetype = "application_log"
  elif ($code == "IP") then .log.sourcetype = "access_log"
  else .
  end
| .log |= tostring . # is this line really needed?

答案 1 :(得分:0)

或者,使用基于步行路径的unix实用程序 jtc 可以完成相同的操作:

bash $ jtc -aw'[log]:<"TR=>R<V:"application_log">v[-1]' -w'[log]:<"IP>R<V:"access_log">v[-1]' -i0 -T'{"sourcetype":"{V}"}' log.json 
{
   "log": "{\"message\":\"TR=failed to send order confirmation to \\\"someone@example.com\\\": rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \\\"transport: Error while dialing dial tcp 10.64.5.235:5000: i/o timeout\\\"\",\"severity\":\"warning\",\"timestamp\":\"2019-07-23T00:47:07.216693578Z\"}\n",
   "sourcetype": "application_log",
   "stream": "stdout",
   "time": "2019-07-23T00:47:07.222368843Z"
}
{
   "log": "{\"message\":\"IP=failed to send order confirmation to \\\"someone@example.com\\\": rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \\\"transport: Error while dialing dial tcp 10.64.5.235:5000: i/o timeout\\\"\",\"severity\":\"warning\",\"timestamp\":\"2019-07-23T00:47:07.216693578Z\"}\n",
   "sourcetype": "access_log",
   "stream": "stdout",
   "time": "2019-07-23T00:47:07.222368843Z"
}
bash $
  • 这里有2条步行路径(一条匹配TR记录的log类型和一条匹配IP的步行路径),每个路径定义变量V并分别内容(成功匹配后)。这两个步骤将针对每个JSON应用,以成功者为准,将定义V
    • 的内容
  • insert选项(-i)带有一个虚拟操作数(0),因为它将完全被您需要的模板(-T)取代

PS>披露:我是jtc-用于JSON操作的shell cli工具的创建者

相关问题
最新问题