堆栈内存溢出
  简体   繁体   English

用logstash解析动态红宝石哈希

[英]Parse dynamic ruby hash with logstash

 原文  2017-10-20 10:51:39       ruby/ hash/ logstash

问题描述

I use logstash and I have Ruby hashes in my log. 我使用logstash,并且日志中有Ruby哈希。 Logs looks like: 日志看起来像: 

 id: 20171023080217469299836 time: 2017-10-23 08:02:17 +0500 login: 123 params: {:service_id=>21164, :user_id=>"771713"}
 id: 20171022185107064615881 time: 2017-10-22 18:51:07 +0500 login: 321 params: {:unc=>"521130929", :id=>"107005094"}

And I parse it into field "params" 我将其解析为字段“ params” 

   id: 20171023080217469299836 time: 2017-10-23 08:02:17 +0500 login: 123 params: {:service_id=>21164, :user_id=>"771713"}                         
   {                                                                                                                                               
       "@timestamp" => 2017-10-23T03:02:17.000Z,                                                                                                   
         "@version" => "1",                                                                                                                        
             "host" => "elk",                                                                                                                
               "id" => "20171023080217469299836",                                                                                                 
            "login" => "123",                                                                                                                     
           "params" => "{:service_id=>21164, :user_id=>\"771713\"}",                                                                                                                                                                                                                     
   }                                                                                                                                               
   id: 20171022185107064615881 time: 2017-10-22 18:51:07 +0500 login: 321 params: {:unc=>"521130929", :id=>"107005094"}                            
   {                                                                                                                                               
       "@timestamp" => 2017-10-22T13:51:07.000Z,    
         "@version" => "1",                                                                                                                        
             "host" => "elk",                                                                                                                
               "id" => "20171022185107064615881",                                                                                                 
            "login" => "321",                                                                                                                     
           "params" => "{:unc=>\"521130929\", :id=>\"107005094\"}",                                                                                                                                                                                                                         
   }

Parameter names various. 参数名称多种多样。 and can also be added or deleted (there are sometimes 2 or 4-5 parameters in hash). 并且还可以添加或删除(哈希中有时有2或4-5个参数)。 I'd like to parse this into different fields (like xml-filter parses) 我想将其解析为不同的字段(例如xml-filter解析) 

{
"parse.service_id" : 21164, 
"parse.user_id" : 771713
}

and 

{
"parse.unc" : 521130929 
"parse.id" : 107005094
}

But can't find how to do this. 但是找不到如何执行此操作。 Has Logstash ruby parser? 有Logstash红宝石解析器吗?

1 个解决方案

解决方案1
 0 已采纳  2017-10-24 11:53:05

You can use the kv filter and the grok filter together. 您可以同时使用kv过滤器和grok过滤器。

In your filter.conf logtash file, add the following: 在您的filter.conf logtash文件中,添加以下内容: 

grok {
  match => { "message" => "id: %{INT:id} time: %{GREEDYDATA:time} login: %{INT:login} params: %{GREEDYDATA:params}" }
}
date {
    match => ["time", "yyyy-MM-dd HH:mm:ss Z"]
  }
kv {
  source => "params"
  remove_char_key => ":"
  remove_char_value => "\""
  field_split => ","
  value_split => "="
  trim_key => "\{"
  trim_value => "\}>\""
  prefix => "parse."

}

PS: you need to escape special regex characters like " and { using \\ . PS:您需要使用\\来转义特殊的正则表达式字符,例如"{

This will give you the following visualization: 这将为您提供以下可视化效果:

Kibana可视化

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 将文件解析为Ruby中的哈希值 - Parse file to hash in Ruby Ruby-将文件解析为哈希 - Ruby - Parse a file into hash 将ruby哈希映射到logstash配置文件 - Map ruby hash to logstash configuration file 使用Logstash Ruby过滤器解析csv文件 - Using Logstash Ruby filter to parse csv file 顺序解析数组以在Ruby中进行哈希 - Sequentially parse array to hash in Ruby Ruby将csv解析为可用的哈希 - Ruby parse csv to usable hash 哈希在Ruby on Rails中的动态循环 - dynamic loop in a hash Ruby on Rails Logstash 5.0 Ruby筛选器无法更新数组中的哈希 - Logstash 5.0 Ruby Filter Can't Update Hash in Array 如何在Ruby中将字符串解析为哈希表 - How to parse a string into a hash table in Ruby 无法在ruby rspec中解析哈希 - Couldn't parse hash in ruby rspec
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM