如何在对象内拆分JSON数组

时间:2015-07-14 09:37:51

标签: json logstash

我有一个带有数组的JSON消息。我想把它分成多个事件:

{
"type": "monitor",
"server": "10.111.222.333",
"host": "abc.de",
"bean": [{
    "name": "beanName1",
    "reseted": "2015-06-05T15:10:00.192Z",
    "method": [{
      "name": "getAllXY",
      "count": 5,
      "min": 3,
      "max": 5
    },
    {
      "name": "getName",
      "count": 4,
      "min": 2,
      "max": 4
    }]
  },
  {
    "name": "beanName2",
    "reseted": "2015-06-05T15:10:00.231Z",
    "method": [{
      "name": "getProperty",
      "count": 4,
      "min": 3,
      "max": 3
    }]
  },
  {
    "name": "beanName3",
    "reseted": "2015-06-05T15:10:00.231Z"
  }]
}

使用过滤器拆分“bean”:

input {
  stdin {
    codec => "json"
  }
}

filter {
  split {
    field => "bean"
  }
}

output {
  stdout{codec => "json"}
}

效果很好:

{"type":"monitor",
 "server":"10.111.222.333",
 "host":"abc.de",
 "bean":{
   "name":"beanName1",
   "reseted":"2015-06-05T15:10:00.192Z",
   "method":[{
     "name":"getAllXY",
     "count":5,
     "min":3,
     "max":5 
    },{
     "name":"getName",
     "count":4,
     "min":2,
     "max":4
    }]},
 "@version":"1",
 "@timestamp":"2015-07-14T09:21:18.326Z"
}

{"type":"monitor",
 "server":"10.111.222.333",
 "host":"abc.de",
 "bean":{
   "name":"beanName2",
   "reseted":"2015-06-05T15:10:00.231Z",
   "method":[{
     "name":"getProperty",
     "count":4,
     "min":3,
     "max":3
   }]},
 "@version":"1",
 "@timestamp":"2015-07-14T09:21:18.326Z"
}

    ...

为了分离“方法”,我添加了另一个分割过滤器:

  split {
    field => "bean"
  }
  split {
    field => "bean.method"
  }

但是这样我只得到一条错误信息:

  

filterworker中的异常{“exception”=> #LogStash :: ConfigurationError:只有字符串和数组类型是可拆分的。 field:bean.method的类型为= NilClass

我无法访问对象“bean”中的数组“method”。我尝试了不同的符号而没有运气。是否可以访问该阵列,可能还不支持?

1 个答案:

答案 0 :(得分:4)

以下代码应该执行您想要的操作并为每个方法返回一个事件:

filter {
    if !("splitted_beans" in [tags]) {
        json {
            source => "message"
        }
        split { 
            field => "bean"
            add_tag => ["splitted_beans"]
        }
    }

    if ( "splitted_beans" in [tags] and [bean][method] ) {
        split {
            field => "bean[method]"
        }
    }
}

第二个条件检查第一个方法是否成功以及bean中是否存在方法。所以它适用于没有方法的bean。