stackoom
  简体   繁体   中英

Json logstash with tcp and elastic

 原文  2017-05-12 10:07:36       json/ elasticsearch/ logstash

Question

i looking for many many time and also consult in here to found one solution to resolve problem json in elastic using logstash. my config here 

input {
  tcp {
    port => 9000
  }
}
filter{
    json{
        source => "message"
        target => "doc"
    }
}
output {
  elasticsearch {
   hosts => ["localhost:9200"] 
   index => logstash-%{+YYYY.MM.dd}
  }
}

but my elastic still have string message document not json. Document like that 

{
  "_index": "logstash-2017.05.12",
  "_type": "logs",
  "_id": "AVv8C4O4qok70-ifTOnm",
  "_score": null,
  "_source": {
    "message": "{\"name\":\"abc\",\"id\":1494582167248}",
    "@version": "1",
    "@timestamp": "2017-05-12T09:42:47.263Z",
    "host": "172.0.0.1",
    "port": 53763
  },
  "fields": {
    "@timestamp": [
      1494582167263
    ]
  },
  "sort": [
    1494582167263
  ]
}

Any one can help me how to fix inorder to name and id filed is as an member propeter of _source . Im expect document log like 

"_source": {
    "name":"abc",
    "id": 1494582167248
    "@version": "1",
    "@timestamp": "2017-05-12T09:42:47.263Z",
    "host": "192.168.2.251",
    "port": 53763
  }

1 answers

solution1
 0 ACCPTED  2017-05-12 12:13:44

If you want to have those fields at the root of the parsed message (which will be at the root level of _source in ElasticSearch, you must remove the JSON target setting. That setting specifies a parent to the parsed fields that are extracted using the JSON filter: 

{
  "@timestamp": "2017-05-12T11:58:40.897Z",
  "port": 61981,
  "@version": "1",
  "host": "10.0.2.2",
  "doc": {
    "name": "abc",
    "id": 1494582167248
  },
  "message": "{\"name\":\"abc\",\"id\":1494582167248}"
}

So remove the target setting, and make sure that your index setting is set in quotes: 

input {
    tcp {
        port => 9000
    }
}

filter{
    json {
        source => "message"
    }
}

output {
    stdout { codec => "rubydebug" }
    elasticsearch {
        hosts => ["localhost:9200"]
        index => "logstash-%{+YYYY.MM.dd}"
    }
}

Which results in: 

{
  "@timestamp": "2017-05-12T11:56:51.187Z",
  "port": 61970,
  "@version": "1",
  "host": "10.0.2.2",
  "name": "abc",
  "id": 1494582167248,
  "message": "{\"name\":\"abc\",\"id\":1494582167248}"
}

To validate with ElasticSearch curl -XGET localhost:9200/logstash-2017.05.12/_search | jq . curl -XGET localhost:9200/logstash-2017.05.12/_search | jq . returns 

{
  "_index": "logstash-2017.05.12",
  "_type": "logs",
  "_id": "AVv8hMTCjLo8wwWpi9R6",
  "_score": 1,
  "_source": {
    "@timestamp": "2017-05-12T11:56:51.187Z",
    "port": 61970,
    "@version": "1",
    "host": "10.0.2.2",
    "name": "abc",
    "id": 1494582167248,
    "message": "{\"name\":\"abc\",\"id\":1494582167248}"
  }
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Failed to Import JSON data to elastic via logstash Logstash TCP input w/ JSON codec treats each line as a separate event Using JSON with LogStash Logstash send only json Parsing JSON file into logstash Logstash nested JSON Parse Logstash json field convert Logstash is not converting correctly in JSON Parsing JSON event in Logstash filter json in logstash
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM