使用 logstash 解析 json 数组字符串
parse json array string using logstash
我想使用 logstash 解析此 json。
{"name":"bob","last":"builder", "atts":"{\"a\":111, \"b\":222}"}
{
"name" => "bob",
"last" => "builder"
"atts" => {
"a" => 111,
"b" => 222} }
两个选项!
使用 Logstash 解析 JSON
如果您想使用 logstash 解析 JSON - 请参考此处的 logstash 插件:
https://www.elastic.co/guide/en/logstash/current/plugins-filters-json.html
要做到这一点,您需要摆弄 logstash.conf:
的过滤器部分
filter {
json {
source => "message"
}
}
在 link 中还有更多 json 解码的示例。
使用 Filebeat
解析 JSON
您的另一个选择是在 filebeat 端解码 json,然后再进入 logstash。相关 links:
https://www.elastic.co/guide/en/beats/filebeat/current/decode-json-fields.html
https://discuss.elastic.co/t/parse-json-data-with-filebeat/80008/5
https://discuss.elastic.co/t/parse-json-data-with-filebeat/80008/7
https://discuss.elastic.co/t/how-to-read-json-file-using-filebeat-and-send-it-to-elasticsearch/91802
这是针对这种情况的示例 filebeat.yml:
filebeat.inputs:
- type: log
paths:
- 'path to the log directory you want to track'
enter code here
input_type: log
json.keys_under_root: true
json.add_error_key: true
fields:
log_type: 'type of log'
processors:
- decode_json_fields:
fields: ["message"]
process_array: true
- add_tags:
tags:
- 'tag in elastic'
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
setup.template.settings:
index.number_of_shards: 1
output.logstash:
# The Logstash hosts
hosts: ["where logstash is running"]
index: 'your index'
codec.json:
pretty: true
escape_html: false
#================================ Processors =====================================
# Configure processors to enhance or manipulate events generated by the beat.
processors:
- decode_json_fields:
fields: ["message"]
process_array: true
json.keys_under_root: true
json.add_error_key: true
和
processors:
- decode_json_fields:
fields: ["message"]
process_array: true
成功了。
我想使用 logstash 解析此 json。
{"name":"bob","last":"builder", "atts":"{\"a\":111, \"b\":222}"}
{ "name" => "bob", "last" => "builder" "atts" => { "a" => 111, "b" => 222} }
两个选项!
使用 Logstash 解析 JSON
如果您想使用 logstash 解析 JSON - 请参考此处的 logstash 插件:
https://www.elastic.co/guide/en/logstash/current/plugins-filters-json.html
要做到这一点,您需要摆弄 logstash.conf:
的过滤器部分filter {
json {
source => "message"
}
}
在 link 中还有更多 json 解码的示例。
使用 Filebeat
解析 JSON您的另一个选择是在 filebeat 端解码 json,然后再进入 logstash。相关 links:
https://www.elastic.co/guide/en/beats/filebeat/current/decode-json-fields.html
https://discuss.elastic.co/t/parse-json-data-with-filebeat/80008/5
https://discuss.elastic.co/t/parse-json-data-with-filebeat/80008/7
https://discuss.elastic.co/t/how-to-read-json-file-using-filebeat-and-send-it-to-elasticsearch/91802
这是针对这种情况的示例 filebeat.yml:
filebeat.inputs:
- type: log
paths:
- 'path to the log directory you want to track'
enter code here
input_type: log
json.keys_under_root: true
json.add_error_key: true
fields:
log_type: 'type of log'
processors:
- decode_json_fields:
fields: ["message"]
process_array: true
- add_tags:
tags:
- 'tag in elastic'
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
setup.template.settings:
index.number_of_shards: 1
output.logstash:
# The Logstash hosts
hosts: ["where logstash is running"]
index: 'your index'
codec.json:
pretty: true
escape_html: false
#================================ Processors =====================================
# Configure processors to enhance or manipulate events generated by the beat.
processors:
- decode_json_fields:
fields: ["message"]
process_array: true
json.keys_under_root: true
json.add_error_key: true
和
processors:
- decode_json_fields:
fields: ["message"]
process_array: true
成功了。