Question

这是我的json对象的样子，我已经验证我得到的json是有效的。我尝试设置相同的配置文件，但总是收到相同的错误

SON解析错误，消息字段{：error =>＃，：data =>“ {\” total_rows \“：15587，\” offset \“：0，\” rows \“：[\ r“} [2019-08-05T21：07：49,799] [WARN] [logstash.filters.split]仅字符串和数组类型是可拆分的。字段：[doc] [serversGroups]的类型= NilClass [2019-08-05T21：07：50,584] [WARN] [logstash.filters.split]仅字符串和数组类型是可拆分的。字段：[doc] [serversGroups] [ActiveUsers]的类型= NilClass

这是我用于Logstash的源配置文件

filter {

json {
source => "message"
skip_on_invalid_json => "true"
target => "doc"
}

split {

field => "[doc][serversGroups]"

}

split {

field => "[doc][serversGroups][ActiveUsers]"
}

date {
      match => [ "[doc][date]", "UNIX" ]
      target => "unix_time"
    }

mutate {
      convert => { "[doc][serversGroups][ActiveUsers][handle]" => "integer"
                   "[doc][serversGroups][list][UsedLicenses]" => "integer"
                   "[doc][serversGroups][list][issuedLicenses]" => "integer"
      }
    }

fingerprint {
concatenate_all_fields => "true"
method => "SHA256"
target => "fingerprint"
  }
}

output {

stdout {
codec => "rubydebug"
}

elasticsearch {
hosts => ["localhost:9200"]
index => "pyyython"
codec => "json"
document_id => "%{[fingerprint]}"
}


}

这是我的原始JSON

{
  "total_rows": 156122,
  "offset": 12,
  "rows": [
    {
      "id": "12345",
      "key": "12345",
      "value": {
        "rev": "1-12345"
      },
      "doc": {
        "_id": "12345",
        "_rev": "1-12345",
        "date": "15645348122",
        "HostServerName": "abc.com",
        "serversGroups": [
          {
            "ServiceName": "--- ",
            "list": {
              "issuedLicenses": "123",
              "UsedLicenses": "12"
            },
            "ActiveUsers": [
              {}
            ]
          },
          {
            "ServiceName": "--- ",
            "list": {
              "issuedLicenses": "123",
              "UsedLicenses": "12"
            },
            "ActiveUsers": [
              {}
            ]
          },
          {
            "ServiceName": "--- ",
            "list": {
              "issuedLicenses": "123",
              "UsedLicenses": "12"
            },
            "ActiveUsers": [
              {}
            ]
          },
          {
            "ServiceName": "--- ",
            "list": {
              "issuedLicenses": "123",
              "UsedLicenses": "1"
            },
            "ActiveUsers": [
              {
                "user": "me",
                "user_host": "myself",
                "dispay": "andI",
                "version": "v1.1",
                "server_host": "testing.abc.com",
                "handle": "12345",
                "last_date_license_check": "7/7",
                "last_time_license_check": "12:12"
              }
            ]
          }
        ]
      }
    }
  ]
}

我不断收到此错误

SON parse error, original data now in message field {:error=>#<LogStash::Json::ParserError: Unexpected end-of-input: expected close marker for Array (start marker at [Source: (S"; line: 1, column: 39])87,"offset":0,"rows":[
"; line: 2, column: 41]>, :data=>"{\"total_rows\":15587,\"offset\":0,\"rows\":[\r"}
[2019-08-05T21:07:49,799][WARN ][logstash.filters.split   ] Only String and Array types are splittable. field:[doc][serversGroups] is of type = NilClass
[2019-08-05T21:07:50,584][WARN ][logstash.filters.split   ] Only String and Array types are splittable. field:[doc][serversGroups][ActiveUsers] is of type = NilClass

不确定我的分割是否错误！

Answer 1

您显示的源JSON显然是无效的，因为它以逗号结尾。如果我用

替换逗号

]
}
}
]
}

则它是有效的。完成更改后，可以使用

进行拆分

split { field => "[doc][rows][0][doc][serversGroups]" }
split { field => "[doc][rows][0][doc][serversGroups][ActiveUsers]" }

Json数组拆分问题Logstash配置：意外的输入结束：数组的预期结束标记（起始标记位于[来源：（S

1 个答案: