在Logstash中解析/拆分嵌套的單個JSON數組
[英]Parse/split nested single JSON array in Logstash
問題描述
我正在尋找以下JSON數組的拆分/過濾器。 我們需要將數組中的每個值作為彈性系統中的單個值。
{“Mot_Temp_Test”:{“INT”:[“0”,“0”,“0”,“0”,“0”,“0”,“0”,“0”,“0”,“0” ,“0”,“0”]}}
1 個解決方案
解決方案1
0 2017-01-20 19:04:43
(這些是我使用logstash 2.4運行的測試的結果,輸出是rubydebug編解碼器)
通過在輸入logstash中使用codec => "json" ,實際上會將您的數組視為數組。 我把你的注意事項編成了數字來告訴他們。
{
"Mot_Temp_Test" => {
"INT" => [
[ 0] "0",
[ 1] "1",
[ 2] "2",
[ 3] "3",
[ 4] "4",
[ 5] "5",
[ 6] "6",
[ 7] "7",
[ 8] "8",
[ 9] "9",
[10] "10",
[11] "11"
]
},
"@version" => "1",
"@timestamp" => "2017-01-20T16:55:42.606Z",
"host" => "b5963373fadd"
}
Logstash在處理數組方面不是很出色,但它可以訪問它們。 因此,我們可以使用mutate過濾器將數組元素重命名為字段。
filter {
mutate { rename => { "[Mot_Temp_Test][INT][0]" => "int0" } }
}
給我們:
{
"Mot_Temp_Test" => {
"INT" => [
[ 0] "0",
[ 1] "0",
[ 2] "0",
[ 3] "0",
[ 4] "0",
[ 5] "0",
[ 6] "0",
[ 7] "0",
[ 8] "0",
[ 9] "0",
[10] "0"
]
},
"@version" => "1",
"@timestamp" => "2017-01-20T17:08:00.728Z",
"host" => "5780e869e09f",
"int0" => "0"
}
好的,所以這應該很簡單。 。 。
filter {
mutate {
rename => { "[Mot_Temp_Test][INT][0]" => "int0" }
rename => { "[Mot_Temp_Test][INT][1]" => "int1" }
rename => { "[Mot_Temp_Test][INT][2]" => "int2" }
rename => { "[Mot_Temp_Test][INT][3]" => "int3" }
rename => { "[Mot_Temp_Test][INT][4]" => "int4" }
rename => { "[Mot_Temp_Test][INT][5]" => "int5" }
rename => { "[Mot_Temp_Test][INT][6]" => "int6" }
}
}
但等等,這些操作是逐個處理的,在刪除某些內容后,數組填充並得到:
{
"Mot_Temp_Test" => {
"INT" => [
[0] "1",
[1] "3",
[2] "5",
[3] "7",
[4] "9",
[5] "11"
]
},
"@version" => "1",
"@timestamp" => "2017-01-20T18:48:31.875Z",
"host" => "a802749c44fe",
"int0" => "0",
"int1" => "2",
"int2" => "4",
"int3" => "6",
"int4" => "8",
"int5" => "10"
}
試圖解釋這個問題:
filter {
mutate {
rename => { "[Mot_Temp_Test][INT][0]" => "int0" }
rename => { "[Mot_Temp_Test][INT][0]" => "int1" }
rename => { "[Mot_Temp_Test][INT][0]" => "int2" }
rename => { "[Mot_Temp_Test][INT][0]" => "int3" }
rename => { "[Mot_Temp_Test][INT][0]" => "int4" }
rename => { "[Mot_Temp_Test][INT][0]" => "int5" }
rename => { "[Mot_Temp_Test][INT][0]" => "int6" }
}
}
不完全有效:
{
"Mot_Temp_Test" => {
"INT" => [
[ 0] "1",
[ 1] "2",
[ 2] "3",
[ 3] "4",
[ 4] "5",
[ 5] "6",
[ 6] "7",
[ 7] "8",
[ 8] "9",
[ 9] "10",
[10] "11"
]
},
"@version" => "1",
"@timestamp" => "2017-01-20T18:56:32.608Z",
"host" => "d5b81003f43b",
"\"int0\", \"int1\", \"int2\", \"int3\", \"int4\", \"int5\", \"int6\"" => "0"
}
為了實現這一點,我們需要使用一堆不同的mutate過濾器:
filter {
mutate { rename => { "[Mot_Temp_Test][INT][0]" => "int0" } }
mutate { rename => { "[Mot_Temp_Test][INT][0]" => "int1" } }
mutate { rename => { "[Mot_Temp_Test][INT][0]" => "int2" } }
mutate { rename => { "[Mot_Temp_Test][INT][0]" => "int3" } }
mutate { rename => { "[Mot_Temp_Test][INT][0]" => "int4" } }
mutate { rename => { "[Mot_Temp_Test][INT][0]" => "int5" } }
mutate { rename => { "[Mot_Temp_Test][INT][0]" => "int6" } }
}
並取得成功:
{
"Mot_Temp_Test" => {
"INT" => [
[0] "7",
[1] "8",
[2] "9",
[3] "10",
[4] "11"
]
},
"@version" => "1",
"@timestamp" => "2017-01-20T18:21:06.488Z",
"host" => "882832d1dd43",
"int0" => "0",
"int1" => "1",
"int2" => "2",
"int3" => "3",
"int4" => "4",
"int5" => "5",
"int6" => "6"
}
總而言之,數組是logstash不擅長的東西。
將Logstash,json數組轉換為具有從元素字段生成的字段的單個事件?
[英]Logstash, json array into single event with fields generated from element fields?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.