在Logstash中分解json数组字符串
[英]Decompose json array string in Logstash
问题描述
I have a RabbitMQ sending 3 fields in JSON format and it is being consumed by Logstash rabbitmq input plugin. 
我有一个RabbitMQ以JSON格式发送3个字段,Logstash rabbitmq输入插件正在使用它。
One of the fields is a JSON array of strings as follows: 字段之一是字符串的JSON数组,如下所示:
"content": [
"1111",
"2222222",
"Test 06",
"3",
"3232",
"SomeValue1"
]
How could I make each entry of that string into a field so that I can quickly discover and visualize in Kibana from the available fields?
我如何才能将该字符串的每个条目都输入一个字段,以便可以从可用字段中快速发现和可视化在Kibana中? Right now I see "content" with that full string. 现在,我看到带有完整字符串的“内容”。 The JSON array string size changes depending on another field, eventID.
JSON数组字符串的大小根据另一个字段eventID而变化。 Would it be possible to dynamically map the values in that string to specific names depending on the eventID? 可以根据eventID将字符串中的值动态映射到特定名称吗? Such as: 如: "eventID": 1, "content": [ "name1": "1111", "name2": "2222222", "name3": "Test 06", "name4": "3", "name5": "3232", "name6": "SomeValue1" ] "eventID": 2, "content": [ "othername1": "3434", "othername2": "Test 10", "othername3": "876", "othername4": "Some String7" ]
I would like to have the name* and othername* in the available fields. 我想在可用字段中使用name *和othername *。 Any help would be appreciated. 任何帮助,将不胜感激。
1 个解决方案
解决方案1
0 已采纳 2017-08-03 19:52:23
First, I'm going to assume for a moment that your input is properly parsed as an array already. 首先,我将假设您的输入已经正确解析为一个数组。 For testing purposes, that means that this: 出于测试目的,这意味着:
echo '{"eventID":1,"content":["a","b","c","d"]}' | bin/logstash -f test.conf
where test.conf is: 其中test.conf是:
input {
stdin { codec => json }
}
output {
stdout { codec => rubydebug }
}
will output this: 将输出以下内容:
{
"eventID" => 1,
"@timestamp" => 2017-08-03T19:39:13.054Z,
"@version" => "1",
"host" => "xxxxxx.local",
"content" => [
[0] "a",
[1] "b",
[2] "c",
[3] "d"
]
}
If that's the case, then you'll need to do something like this: 如果是这种情况,那么您需要执行以下操作:
filter {
if [eventID] == 1 {
mutate {
add_field => {
"eventName" => "type1 event"
"one0" => "%{[content][0]}"
"one1" => "%{[content][1]}"
"one2" => "%{[content][2]}"
"one3" => "%{[content][3]}"
}
remove_field => [ "content" ]
}
} else if [eventID] == 2 {
mutate {
add_field => {
"eventName" => "type2 event"
"two0" => "%{[content][0]}"
"two1" => "%{[content][1]}"
"two2" => "%{[content][2]}"
"two3" => "%{[content][3]}"
}
remove_field => [ "content" ]
}
}
}
which will generate an event like this: 会产生这样的事件:
{
"eventID" => 1,
"@timestamp" => 2017-08-03T19:51:02.946Z,
"@version" => "1",
"host" => "xxxxxxx.local",
"one2" => "c",
"eventName" => "type1 event",
"one3" => "d",
"one0" => "a",
"one1" => "b"
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.