我一直在尝试配置输入类型为snmptrap和yamlmibdir的logstash管道。这是代码
select top 500 t2.col1 from (
select row_number() over (partition by t1.col1 order by id desc) rn, t1.col1
from
(select
id,
case
when len(PhoneNumber) = 13 And phoneNumber like '+311%' then replace(PhoneNumber, '+311', '0')
when len(PhoneNumber) = 13 And phoneNumber like '311-%' then replace(PhoneNumber, '311-', '0')
when len(PhoneNumber) = 13 And phoneNumber like '0311%' then stuff(PhoneNumber, 1, 4 , 0 )
when len(PhoneNumber) = 14 And phoneNumber like '00311%'then stuff(PhoneNumber, 1, 5 ,'0')
when len(PhoneNumber) = 14 And phoneNumber like '00311%' then stuff(PhoneNumber, 1, 4 ,'0')
when len(PhoneNumber) = 12 And phoneNumber like '311%' then stuff(PhoneNumber, 1 , 3 , '0')
when len(PhoneNumber) = 12 then REPLACE (PhoneNumber, '-', '')
when len(PhoneNumber) = 11 And phoneNumber like '00%' then Stuff(PhoneNumber, 1, 2 , '0')
else PhoneNumber
end as col1
from users
where cityid = 1 and statusid = 1 and (len(PhoneNumber) >= 10 And len(PhoneNumber) <= 14)
and PhoneNumber not like '"%' and PhoneNumber not like '+311-%' and PhoneNumber not like '01%'
and PhoneNumber like '0%') t1
) t2
where t2.rn = 1
,结果以Kibana(JSON格式)显示
input {
snmptrap {
host => "abc"
port => 1062
yamlmibdir => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/snmp-1.3.2/data/ruby/snmp/mibs"
}
}
filter {
mutate {
gsub => ["message","^\"{","{"]
gsub => ["message","}\"$","}"]
gsub => ["message","[\\]",""]
}
json { source => "message" }
split {
field => "message"
target => "evetns"
}
}
output {
elasticsearch {
hosts => "xyz"
index => "logstash-%{+YYYY.MM.dd}"
}
stdout { codec => rubydebug }
}
正如您在message字段中看到的那样,它是一个数组,因此如何获取数组中的所有字段。还可以选择这些字段以在Kibana上显示。
ps1。如果在展开的文档中选择“表”类型,仍会得到_jsonparsefailure标签 ps2。即使使用gsub从预期的json结果中删除“ \”,为什么仍然得到带有“ \”的结果?