Logstash-如何在没有目标的情况下使用拆分过滤器拆分数组?
我正在尝试将JSON数组拆分为多个事件。这是一个示例输入:
{"results" : [{"id": "a1", "name": "hello"}, {"id": "a2", "name": "logstash"}]}这是我的过滤器和输出配置:
filter { split {
field => "results"
}
}
stdout {
codec => "rubydebug"
}
这将产生2个事件,数组中的每个JSON都有一个。它接近我要寻找的东西:
{ "results" => {
"id" => "a1",
"name" => "hello"
},
"@version" => "1",
"@timestamp" => "2015-05-30T18:33:21.527Z",
"host" => "laptop",
}
{
"results" => {
"id" => "a2",
"name" => "logstash"
},
"@version" => "1",
"@timestamp" => "2015-05-30T18:33:21.527Z",
"host" => "laptop",
}
问题是嵌套的“结果”部分。“结果”是目标参数的默认值。有没有一种方法可以使用拆分过滤器而不产生嵌套的JSON,并得到如下所示的结果:
{ "id" => "a1",
"name" => "hello"
"@version" => "1",
"@timestamp" => "2015-05-30T18:33:21.527Z",
"host" => "laptop",
}
{
"id" => "a2",
"name" => "logstash"
"@version" => "1",
"@timestamp" => "2015-05-30T18:33:21.527Z",
"host" => "laptop",
}
目的是将其提供给ElasticSearch输出,每个事件都是带有document_id =>“ id”的文档。任何好的解决方案都欢迎!
回答:
如果您知道所有字段都是什么(看起来像您一样),则可以简单地重命名字段:
mutate { rename => [
"[results][id]", "id",
"[results][name]", "name"
]
remove_field => "results"
}
如果您不知道所有字段是什么,则可以编写一个ruby代码过滤器,该过滤器执行并event['results'].each...从结果的子字段中创建新的字段。
以上是 Logstash-如何在没有目标的情况下使用拆分过滤器拆分数组? 的全部内容, 来源链接: utcz.com/qa/407941.html
