将 JSON 与 LogStash 结合使用
[英]Using JSON with LogStash
问题描述
I'm going out of my mind here.
我要疯了。 I have an app that writes logs to a file.我有一个将日志写入文件的应用程序。 Each log entry is a JSON object.每个日志条目都是一个 JSON 对象。 An example of my .json file looks like the following:我的 .json 文件示例如下所示:
{"Property 1":"value A","Property 2":"value B"}
{"Property 1":"value x","Property 2":"value y"}
I'm trying desperately to get the log entries into LogStash.我正在拼命地将日志条目放入 LogStash。 In an attempt to do this, I've created the following LogStash configuration file:为此,我创建了以下 LogStash 配置文件:
input {
file {
type => "json"
path => "/logs/mylogs.log"
codec => "json"
}
}
output {
file {
path => "/logs/out.log"
}
}
Right now, I'm manually adding records to mylogs.log to try and get it working.现在,我正在手动将记录添加到 mylogs.log 以尝试使其正常工作。 However, they appear oddly in the stdout.但是,它们在标准输出中的出现很奇怪。 When I look open out.log, I see something like the following:当我查看 open out.log 时,我看到如下内容:
{"message":"\"Property 1\":\"value A\", \"Property 2\":\"value B\"}","@version":"1","@timestamp":"2014-04-08T15:33:07.519Z","type":"json","host":"ip-[myAddress]","path":"/logs/mylogs.log"}
Because of this, if I send the message to ElasticSearch, I don't get the fields.因此,如果我将消息发送到 ElasticSearch,我将无法获取字段。 Instead I get a jumbled mess.相反,我得到了一个混乱的烂摊子。 I need my properties to still be properties.我需要我的属性仍然是属性。 I do not want them crammed into the message portion or the output.我不希望它们塞进消息部分或输出中。 I have a hunch this has something to do with Codecs.我有一种预感,这与编解码器有关。 Yet, I'm not sure.然而,我不确定。 I'm not sure if I should change the codec on the logstash input configuration.我不确定是否应该更改 logstash 输入配置上的编解码器。 Or, if I should change the input on the output configuration.或者,如果我应该更改输出配置上的输入。 I would sincerely appreciate any help as I'm getting desperate at this point.我会真诚地感谢任何帮助,因为我在这一点上变得绝望。
THanks.谢谢。
3 个解决方案
解决方案1
45 2014-04-08 16:03:21
Try removing the json codec and adding a json filter尝试删除json 编解码器并添加json 过滤器
input {
file {
type => "json"
path => "/logs/mylogs.log"
}
}
filter{
json{
source => "message"
}
}
output {
file {
path => "/logs/out.log"
}
}
you do not need the json codec because you do not want decode the source JSON but you want filter the input to get the JSON data in the @message field only.您不需要 json 编解码器,因为您不想解码源 JSON,但您只想过滤输入以获取 @message 字段中的 JSON 数据。
Hope this helps.希望这可以帮助。
解决方案2
14 2017-05-29 07:06:02
By default tcp put everything to message field if json codec not specified.默认情况下,如果未指定 json 编解码器,tcp 会将所有内容放入消息字段。
An workaround to _jsonparsefailure of the message field after we specify the json codec also can be rectified by doing the following:在我们指定 json 编解码器后消息字段的_jsonparsefailure的解决方法也可以通过执行以下操作来纠正:
input {
tcp {
port => '9563'
}
}
filter{
json{
source => "message"
target => "myroot"
}
json{
source => "myroot"
}
}
output {
elasticsearch {
hosts => [ "localhost:9200" ]
}
}
It will parse message field to proper json string to field myroot and then myroot is parsed to yield the json.它会将消息字段解析为正确的 json 字符串以输入 myroot,然后解析 myroot 以生成 json。
We can remove the redundant field like message as我们可以删除像消息这样的冗余字段
filter {
json {
source => "message"
remove_field => ["message"]
}
}
解决方案3
3 2020-07-17 04:15:43
Try with this one:试试这个:
filter {
json {
source => "message"
target => "jsoncontent" # with multiple layers structure
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.