res*_*red 5 elasticsearch logstash
我正在尝试将 JSON 数组拆分为多个事件。这是一个示例输入:
{"results" : [{"id": "a1", "name": "hello"}, {"id": "a2", "name": "logstash"}]}
这是我的过滤器和输出配置:
filter {
split {
field => "results"
}
}
stdout {
codec => "rubydebug"
}
这会产生 2 个事件,一个用于数组中的每个 JSON。它与我正在寻找的很接近:
{
"results" => {
"id" => "a1",
"name" => "hello"
},
"@version" => "1",
"@timestamp" => "2015-05-30T18:33:21.527Z",
"host" => "laptop",
}
{
"results" => {
"id" => "a2",
"name" => "logstash"
},
"@version" => "1",
"@timestamp" => "2015-05-30T18:33:21.527Z",
"host" => "laptop",
}
问题是嵌套的“结果”部分。“results”是目标参数的默认值。有没有办法在不生成嵌套 JSON 的情况下使用拆分过滤器,并得到如下结果:
{
"id" => "a1",
"name" => "hello"
"@version" => "1",
"@timestamp" => "2015-05-30T18:33:21.527Z",
"host" => "laptop",
}
{
"id" => "a2",
"name" => "logstash"
"@version" => "1",
"@timestamp" => "2015-05-30T18:33:21.527Z",
"host" => "laptop",
}
目的是将其提供给 ElasticSearch 输出,每个事件都是具有 document_id => "id" 的文档。欢迎任何好的解决方案!
如果您知道所有字段是什么(正如您所看到的那样),您可以简单地重命名这些字段:
mutate {
rename => [
"[results][id]", "id",
"[results][name]", "name"
]
remove_field => "results"
}
如果您不知道所有字段是什么,您可以编写一个ruby代码过滤器来执行event['results'].each...并从结果的子字段创建新字段。
| 归档时间: |
|
| 查看次数: |
10059 次 |
| 最近记录: |