我有一个nginx日志文件,其中包含如下行:
127.0.0.1 192.168.0.1 - [28/Feb/2013:12:00:00 +0900] "GET / HTTP/1.1" 200 777 "-" "Opera/12.0" - <{"key1":"value1","key2":98765,"key3":false,"key4":["one","two"],"key5":{"key22":98765,"key23":false,"key24":["one-one","two-two"]}}>
如您所见,最后一个值是JSON对象。现在,我需要以以下格式进行解析
1362020400 (28/Feb/2013:12:00:00 +0900)
record:
{
"remote" : "127.0.0.1",
"host" : "192.168.0.1",
"user" : "-",
"method" : "GET",
"path" : "/",
"code" : "200",
"size" : "777",
"referer" : "-",
"agent" : "Opera/12.0",
"http_x_forwarded_for": "-",
"myobject" :{
"key1": "value1",
"key2": 98765,
"key3": false,
"key4": [
"one",
"two"
],
"key5": {
"key22": 98765,
"key23": false,
"key24": [
"one-one",
"two-two"
]
}
}
我可以使用以下格式:
expression /^(?<remote>[^ ]*) (?<host>[^ ]*) (?<user>[^ ]*) \[(?<time>[^\]]*)\] "(?<method>\S+)(?: +(?<path>[^\"]*?)(?: +\S*)?)?" (?<code>[^ ]*) (?<size>[^ ]*)(?: "(?<referer>[^\"]*)" "(?<agent>[^\"]*)"(?:\s+(?<http_x_forwarded_for>[^ ]+))?) \<(?<myobject>[^\>]*)\>?$/
time_format %d/%b/%Y:%H:%M:%S %z
但是,它将最后一个JSON对象解析为字符串。如何将该值保留为JSON?
答案 0 :(得分:1)
您可以使用filter/parser从字符串解析为json对象
<filter foo.bar>
@type parser
key_name myobject
reserve_data true
remove_key_name_field true
hash_value_field parsed
<parse>
@type json
</parse>
</filter>
这是例子
# input data: {"host":"192.168.0.1", "myobject":"{\"key1\":1,\"key2\":2}"}
# output data: {"host":"192.168.0.1", "parsed":{"key1":1,"key2":2}}