我有一个带有数组的JSON消息。我想把它分成多个事件:
{
"type": "monitor",
"server": "10.111.222.333",
"host": "abc.de",
"bean": [{
"name": "beanName1",
"reseted": "2015-06-05T15:10:00.192Z",
"method": [{
"name": "getAllXY",
"count": 5,
"min": 3,
"max": 5
},
{
"name": "getName",
"count": 4,
"min": 2,
"max": 4
}]
},
{
"name": "beanName2",
"reseted": "2015-06-05T15:10:00.231Z",
"method": [{
"name": "getProperty",
"count": 4,
"min": 3,
"max": 3
}]
},
{
"name": "beanName3",
"reseted": "2015-06-05T15:10:00.231Z"
}]
}
使用过滤器拆分“bean”:
input {
stdin {
codec => "json"
}
}
filter {
split {
field => "bean"
}
}
output {
stdout{codec => "json"}
}
效果很好:
{"type":"monitor",
"server":"10.111.222.333",
"host":"abc.de",
"bean":{
"name":"beanName1",
"reseted":"2015-06-05T15:10:00.192Z",
"method":[{
"name":"getAllXY",
"count":5,
"min":3,
"max":5
},{
"name":"getName",
"count":4,
"min":2,
"max":4
}]},
"@version":"1",
"@timestamp":"2015-07-14T09:21:18.326Z"
}
{"type":"monitor",
"server":"10.111.222.333",
"host":"abc.de",
"bean":{
"name":"beanName2",
"reseted":"2015-06-05T15:10:00.231Z",
"method":[{
"name":"getProperty",
"count":4,
"min":3,
"max":3
}]},
"@version":"1",
"@timestamp":"2015-07-14T09:21:18.326Z"
}
...
为了分离“方法”,我添加了另一个分割过滤器:
split {
field => "bean"
}
split {
field => "bean.method"
}
但是这样我只得到一条错误信息:
filterworker中的异常{“exception”=> #LogStash :: ConfigurationError:只有字符串和数组类型是可拆分的。 field:bean.method的类型为= NilClass
我无法访问对象“bean”中的数组“method”。我尝试了不同的符号而没有运气。是否可以访问该阵列,可能还不支持?
答案 0 :(得分:4)
以下代码应该执行您想要的操作并为每个方法返回一个事件:
filter {
if !("splitted_beans" in [tags]) {
json {
source => "message"
}
split {
field => "bean"
add_tag => ["splitted_beans"]
}
}
if ( "splitted_beans" in [tags] and [bean][method] ) {
split {
field => "bean[method]"
}
}
}
第二个条件检查第一个方法是否成功以及bean中是否存在方法。所以它适用于没有方法的bean。