如何检查 logstash 中消息字段的 json 字符串中的键值对
How to check key value pair in json string for message field in logstash
这是日志 json 字符串的示例,消息字段也是 json 字符串。
{
"service_id" => "sec-sip",
"@version" => "1",
"logplane" => "containerlogs",
"componentName" => "container",
"message" => "{"version":"1.0","timestamp":"2021-08-06T13:48:56.640+0000","severity":"info","service_id":"MANAGER@m.syslog","message":"santu testtttttttttttttttttttttt","extra_data":{"manager":{"log_plane":"alarmlogs","alarm_raise_time":"1628251669506","alarm_update_time":"1628257736581","source_type":"MANAGER","alarm_instance_id":"1","alarm_proposed_repair_action":"Informational alarm no action required.","alarm_handler_specific_problem":null,"specific_problem":"Business Logic Updated","event_type":"Processing",}}}",
"version" => "0.2.0",
"timestamp" => "2021-08-06T16:47:13.736Z"
}
我需要在 [extra_data][manager][logplane] == "alarmlogs"
的基础上更改 logplane 值
你能帮我吗,我们如何从消息字段中提取这个键并应用条件?
我想实现下面给出的。
if [extra_data][manager][logplane] == "alarmlogs" {
mutate {
replace => {"[logplane]" => "informational"}
}
}
您必须使用 json filter 将 string 转换为 json 对象。在你的情况下,做类似的事情
filter {
json {
source => "message"
target => "json_message"
}
if [json_message][extra_data][manager][logplane] == "alarmlogs" {
mutate {
replace => {"[logplane]" => "informational"}
}
}
}
不确定是否要转换回这个新的 json object
这是日志 json 字符串的示例,消息字段也是 json 字符串。
{
"service_id" => "sec-sip",
"@version" => "1",
"logplane" => "containerlogs",
"componentName" => "container",
"message" => "{"version":"1.0","timestamp":"2021-08-06T13:48:56.640+0000","severity":"info","service_id":"MANAGER@m.syslog","message":"santu testtttttttttttttttttttttt","extra_data":{"manager":{"log_plane":"alarmlogs","alarm_raise_time":"1628251669506","alarm_update_time":"1628257736581","source_type":"MANAGER","alarm_instance_id":"1","alarm_proposed_repair_action":"Informational alarm no action required.","alarm_handler_specific_problem":null,"specific_problem":"Business Logic Updated","event_type":"Processing",}}}",
"version" => "0.2.0",
"timestamp" => "2021-08-06T16:47:13.736Z"
}
我需要在 [extra_data][manager][logplane] == "alarmlogs"
的基础上更改 logplane 值你能帮我吗,我们如何从消息字段中提取这个键并应用条件?
我想实现下面给出的。
if [extra_data][manager][logplane] == "alarmlogs" {
mutate {
replace => {"[logplane]" => "informational"}
}
}
您必须使用 json filter 将 string 转换为 json 对象。在你的情况下,做类似的事情
filter {
json {
source => "message"
target => "json_message"
}
if [json_message][extra_data][manager][logplane] == "alarmlogs" {
mutate {
replace => {"[logplane]" => "informational"}
}
}
}
不确定是否要转换回这个新的 json object