logstash解析 转义JSON 日志

静坐的时光丶 发布于 04/12 19:42
阅读 97
收藏 0

日志文件

{\"AppID\":0,\"Token\":\"Bearer eyJhbGciOiJSUzI1NiIsImtpZC\",\"Method\":\"GET\",\"Host\":\"10.60.100.45\",\"ApiRoute\":\"http://10.60.4.29:9000/api/register/schedule\",\"DownstreamRequest\":\"http://10.60.4.12:8014/api/register/schedule\",\"ReqMsg\":null,\"RespMsg\":\"{\\\"Code\\\":\\\"0\\\",\\\"Message\\\":\\\"ok\\\",\\\"Data\\\":{\\\"IsA\\\":true,\\\"ANumber\\\":88,\\\"ANumberAdd\\\":0,\\\"ANumberAddLimit\\\":100,\\\"IsP\\\":true,\\\"PNumber\\\":162,\\\"PNumberAdd\\\":0,\\\"PNumberAddLimit\\\":100,\\\"IsN\\\":true,\\\"NNumber\\\":50,\\\"NNumberAdd\\\":0,\\\"NNumberAddLimit\\\":100}}\",\"ExecuteStartTime\":\"2021-04-12T18:54:17.0778058+08:00\",\"ExecuteEndTime\":\"2021-04-12T18:54:17.1423898+08:00\",\"ElaspedTime\":64,\"Comefrom\":0,\"InsertTime\":null,\"Remark\":null}

 

因为有一部分日志不是JSON格式转义的,filter 有时候json这样不能解析成功,想用Grok对日志进行解析JSON中的每个字段,不知道要怎么写

filter {

        json {
            source => "message"
            remove_field => ["message"]
        }        
}

{
    "AppID": 0,
    "Token": "Bearer eyJhbGciOiJSUzI1NiIsImtpZC",
    "Method": "GET",
    "Host": "10.60.100.45",
    "ApiRoute": "http://10.60.4.29:9000/api/register/schedule",
    "DownstreamRequest": "http://10.60.4.12:8014/api/register/schedule",
    "ReqMsg": null,
    "RespMsg": "{\"Code\":\"0\",\"Message\":\"ok\",\"Data\":{\"IsA\":true,\"ANumber\":88,\"ANumberAdd\":0,\"ANumberAddLimit\":100,\"IsP\":true,\"PNumber\":162,\"PNumberAdd\":0,\"PNumberAddLimit\":100,\"IsN\":true,\"NNumber\":50,\"NNumberAdd\":0,\"NNumberAddLimit\":100}}",
    "ExecuteStartTime": "2021-04-12T18:54:17.0778058+08:00",
    "ExecuteEndTime": "2021-04-12T18:54:17.1423898+08:00",
    "ElaspedTime": 64,
    "Comefrom": 0,
    "InsertTime": null,
    "Remark": null
}

 input {

      tcp{
                #host=>"10.60.1.1"
                port=>5000
        }
}
filter {

        #json {
         #   source => "message"
            #target => "doc"
         #   remove_field => ["message"]
        #}        
    
}
output {

    elasticsearch {

        hosts => ["10.60.1.1:9200"]
        index => "access-%{+YYYY.MM.dd}"
        user => elastic
        password => elastic
        manage_template => true
    }


}

 

 

加载中
OSCHINA
登录后可查看更多优质内容
返回顶部
顶部