如何使用 logstash 为 json 文件编制索引？

Question

我尝试为我的 json 文件创建索引，如下所示。我必须写一个 grok 表达式。但我不能那样做？你能帮帮我吗？

{"level":"Information","ClientIP":"10.201.21.188","Test":"10.210.21.188"}
{"level":"Information","ClientIP":"10.202.21.187","Test":"10.220.21.188"}
{"level":"Information","ClientIP":"10.203.21.186","Test":"10.230.21.188"}
{"level":"Information","ClientIP":"10.204.21.185","Test":"10.240.21.188"}

我的logstash.conf如下：

input {
  file {
    type => "json"
    path => ["C:/logs/test-20170933.json"]
    start_position => "beginning"
  }
}
filter {
  grok { 
         match => [ "message","%{WORD:level}   I HAVE TO WRITE OTHER ELEMENTS  BUT HOW????"]
  }
  json {
          source => "message"
       }
}
output {
  stdout {
    codec => rubydebug
    }
    elasticsearch {
        hosts => [ "localhost:9200" ]
        index => "logstash-%{+YYYY.MM.dd}"
    }
}

我想我们需要 grok 表达式来实现它。我也愿意为此提供新的创意解决方案。

Answer 1

你不需要 grok 任何东西，你的 file 输入只需要一个 JSON 编解码器就可以了：

input {
  file {
    type => "json"
    path => ["C:/logs/test-20170933.json"]
    start_position => "beginning"
    codec => "json"                  <-- add this
  }
}
filter {
}
output {
    stdout {
        codec => rubydebug
    }
    elasticsearch {
        hosts => [ "localhost:9200" ]
        index => "logstash-%{+YYYY.MM.dd}"
    }
}

如何使用 logstash 为 json 文件编制索引？

How can I make indexing json file by using logstash?

elasticsearch

logstash

logstash-grok

logstash-configuration

elastic-stack