AZ-*_*AZ- 5 elasticsearch filebeat
我怎样才能控制的水平decode_json_fields?
max_depth似乎对我的情况没有帮助。
目标:解析'/var/lib/docker/containers/ / .log'但控制最大json深度(不要在elasticsearch索引中生成数百个嵌套字段)
name: "host-01"
queue:
mem:
events: 16384
# batch of events to the outputs. "0" ensures events are immediately available to be sent to the outputs.
flush.min_events: 0
filebeat:
prospectors:
- type: log
paths:
- '/tmp/test.log'
json:
# key on which to apply the line filtering and multiline settings
message_key: log
keys_under_root: true
add_error_key: true
processors:
- decode_json_fields:
fields: ["log"]
process_array: false
max_depth: 1
overwrite_keys: false
output:
console:
pretty: true
例子
echo '{"log":"{ "status": { "foo": { "bar": 1 } }, "bytes_sent": "0", "gzip_ratio": "-", "hostname": "cb7b5441f0da" }\n","stream":"stdout","time":"2018-12-29T11:25:36.130729806Z"}' >> /tmp/test.log
实际结果:
{
...
"log": {
"status": {
"foo": {
"bar": 1
}
},
"bytes_sent": "0",
"gzip_ratio": "-",
"hostname": "cb7b5441f0da"
...
}
预期结果:
{
...
"log": {
"status": "{ \"foo\": { \"bar\": 1 } }"
},
"bytes_sent": "0",
"gzip_ratio": "-",
"hostname": "cb7b5441f0da"
...
}
如何控制嵌套的json对象?
这是一些解释https://github.com/elastic/beats/issues/9834#issuecomment-451134008 1但是删除 json: 并只留下decode_json_fields没有帮助
交叉链接到discuss.elastic.co https://discuss.elastic.co/t/filebeat-how-control-level-nested-json-object-parsing-decode-json-fields/162876
截至 2022 年,filebeatdecode_json_fields处理器仍然无法满足此要求:
仅解析 JSON 文档键至第 N 个深度,并将更深的 JSON 键保留为未解析的字符串。
在 elastic/beats github 存储库中有一个未解决的问题max_depth,讨论处理器的属性行为decode_json_fields,其中利用 filebeat 处理器的线程中的参与者善意地提供了解决方法script。
- script:
lang: javascript
source: >
function process(event) {
for(var p in event.Get("log")){
if (event.Get("log")[p] != null && typeof event.Get("log")[p] == 'object') {
event.Put("log."+p, JSON.stringify(event.Get("log")[p]))
}
}
}
PS:我已将原始片段根 JSON 键更改为“log”以满足 OP 要求。
| 归档时间: |
|
| 查看次数: |
7156 次 |
| 最近记录: |