如何处理输入文件 logstash 中的特殊字符 (")
how to handle special characters ( " ) in input file logstash
我在使用 logstash 推送到 ELK 时遇到数据问题。
这是我的输入文件
input {
file {
path => ["C:/Users/HoangHiep/Desktop/test17.txt"]
type => "_doc"
start_position => beginning
}
}
filter {
dissect {
mapping => {
"message" => "%{word}"
}
}
}
output {
elasticsearch{
hosts => ["localhost:9200"]
index => "test01"
}
stdout { codec => rubydebug}
}
我的数据是
"day la text"
这是输出
{
"host" => "DESKTOP-T41GENH",
"path" => "C:/Users/HoangHiep/Desktop/test17.txt",
"@timestamp" => 2020-01-15T10:04:52.746Z,
"@version" => "1",
"type" => "_doc",
"message" => "\"day la text\"\r",
"word" => "\"day la text\"\r"
}
有什么方法可以处理字符 (")。
我希望 "word" 就像 "day la text \r" 没有字符 \"
谢谢大家
如果此更改适合您,我可以对此进行更多解释。我说的原因是我有最新的 mac,所以我在消息中看不到结尾的 \r。
输入就像您拥有的一样"day la text"
filter {
mutate {
gsub => [
"message","(\")", ""
]
}
}
响应是
{
"@timestamp" => 2020-01-15T15:01:58.828Z,
"@version" => "1",
"headers" => {
"http_version" => "HTTP/1.1",
"request_method" => "POST",
"http_accept" => "*/*",
"accept_encoding" => "gzip, deflate",
"postman_token" => "5ae8b2a0-2e94-433c-9ecc-e415731365b6",
"cache_control" => "no-cache",
"content_type" => "text/plain",
"connection" => "keep-alive",
"http_user_agent" => "PostmanRuntime/7.21.0",
"http_host" => "localhost:8080",
"content_length" => "13",
"request_path" => "/"
},
"host" => "0:0:0:0:0:0:0:1",
"message" => "day la text" <===== see the extra inbuilt `\"` gone.
}
我在使用 logstash 推送到 ELK 时遇到数据问题。 这是我的输入文件
input {
file {
path => ["C:/Users/HoangHiep/Desktop/test17.txt"]
type => "_doc"
start_position => beginning
}
}
filter {
dissect {
mapping => {
"message" => "%{word}"
}
}
}
output {
elasticsearch{
hosts => ["localhost:9200"]
index => "test01"
}
stdout { codec => rubydebug}
}
我的数据是
"day la text"
这是输出
{
"host" => "DESKTOP-T41GENH",
"path" => "C:/Users/HoangHiep/Desktop/test17.txt",
"@timestamp" => 2020-01-15T10:04:52.746Z,
"@version" => "1",
"type" => "_doc",
"message" => "\"day la text\"\r",
"word" => "\"day la text\"\r"
}
有什么方法可以处理字符 (")。 我希望 "word" 就像 "day la text \r" 没有字符 \"
谢谢大家
如果此更改适合您,我可以对此进行更多解释。我说的原因是我有最新的 mac,所以我在消息中看不到结尾的 \r。
输入就像您拥有的一样"day la text"
filter {
mutate {
gsub => [
"message","(\")", ""
]
}
}
响应是
{
"@timestamp" => 2020-01-15T15:01:58.828Z,
"@version" => "1",
"headers" => {
"http_version" => "HTTP/1.1",
"request_method" => "POST",
"http_accept" => "*/*",
"accept_encoding" => "gzip, deflate",
"postman_token" => "5ae8b2a0-2e94-433c-9ecc-e415731365b6",
"cache_control" => "no-cache",
"content_type" => "text/plain",
"connection" => "keep-alive",
"http_user_agent" => "PostmanRuntime/7.21.0",
"http_host" => "localhost:8080",
"content_length" => "13",
"request_path" => "/"
},
"host" => "0:0:0:0:0:0:0:1",
"message" => "day la text" <===== see the extra inbuilt `\"` gone.
}