logstash json数据解析/判断嵌套json字段是否存在

解析json

filter {
    json {
        source => "message"
        target => "temp_json"
    }
}

如果不写target，则会把json串里面字段解析到"根"下面

判断嵌套json字段是否存在，存在则添加字段

filter {
    if [temp_json][foo] {
        mutate{
            add_field => { "foo" => "%{[temp_json][foo]}" }
        }
     }
}

字段类型转换

filter{
    if [temp_json][foo] {
        mutate{
            add_field => { "foo" => "%{[temp_json][foo]}" }
            convert => { "foo" => "string" }
        }
    }
}

或者

filter{
    mutate{
       convert => { "foo" => "string" }
    }
}

logstash配置文件内容

input {
    file {
        type => "type-learn"  
        path => "/data1/logs/learn*.log"
    }
}

filter {
    json {
        source => "message"
        target => "temp_json"
    } 
	
    if [temp_json][foo] {
        mutate{
            add_field => { "foo" => "%{[temp_json][foo]}" }
            convert => { "foo" => "string" }
        }
    }
	....

    mutate {
        remove_field => ["temp_json","message","@version","_score"]
    }
}

output {
    if [type] == "type-learn" {
        elasticsearch {
            action => "index"          #The operation on ES
            hosts  => ["192.168.149.129:9200"]   #ElasticSearch host, can be array.
            index  => "logstash-learn"         #The index to write data to.
        }
    }
}

posted @ 2022-04-28 18:12 stone123209 阅读(2043) 评论(0) 收藏举报

刷新页面返回顶部

stone123209

logstash json数据解析/判断嵌套json字段是否存在

解析json

判断嵌套json字段是否存在，存在则添加字段

字段类型转换

公告