Logstash /神交複製信息等領域創造新的輸出格式

Question

我有以下的日誌中logstash：

{ 
    "message":"{\"name\":\"myapp\",\"hostname\":\"sensu-node-dev\",\"pid\":749,\"level\":50,\"err\":{\"message\":\"Cannot find module 'lol'\",\"name\":\"Error\",\"stack\":\"Error: Cannot find module 'lol'\\n at Function.Module._resolveFilename (module.js:339:15)\\n at Function.Module._load (module.js:290:25)\\n at Module.require (module.js:367:17)\\n at require (internal/module.js:16:19)\\n at Object.<anonymous> (/srv/www/dev.site/app.js:27:6)\\n at next (native)\\n at Object.<anonymous> (/srv/www/dev.site/node_modules/koa-compose/index.js:29:5)\\n at next (native)\\n at onFulfilled (/srv/www/dev.site/node_modules/co/index.js:65:19)\\n at /srv/www/dev.site/node_modules/co/index.js:54:5\",\"code\":\"MODULE_NOT_FOUND\"},\"msg\":\"Cannot find module 'lol'\",\"time\":\"2016-02-26T15:59:25.688Z\",\"v\":0}", 
    "@version":"1", 
    "@timestamp":"2016-02-26T15:59:35.317Z", 
    "beat":{"hostname":"sensu-node-dev","name":"sensu-node-dev"}, 
    "count":1, 
    "fields":null, 
    "input_type":"log", 
    "offset":83219, 
    "source":"/var/log/bunyan/myapp-info.log", 
    "type":"log", 
    "host":"sensu-node-dev", 
    "tags":["beats_input_codec_plain_applied","error"], 
    "name":"myapp", 
    "hostname":"sensu-node-dev", 
    "pid":749, 
    "level":50, 
    "err":{"message":"Cannot find module 'lol'","name":"Error","stack":"Error: Cannot find module 'lol'\n at Function.Module._resolveFilename (module.js:339:15)\n at Function.Module._load (module.js:290:25)\n at Module.require (module.js:367:17)\n at require (internal/module.js:16:19)\n at Object.<anonymous> (/srv/www/dev.site/app.js:27:6)\n at next (native)\n at Object.<anonymous> (/srv/www/dev.site/node_modules/koa-compose/index.js:29:5)\n at next (native)\n at onFulfilled (/srv/www/dev.site/node_modules/co/index.js:65:19)\n at /srv/www/dev.site/node_modules/co/index.js:54:5","code":"MODULE_NOT_FOUND"}, 
    "msg":"Cannot find module 'lol'", 
    "time":"2016-02-26T15:59:25.688Z", 
    "v":0 
} 

我想logstash輸出如下：

{ 
    title: "error message from host sensu-node-dev", 
    text:"{\"name\":\"myapp\",\"hostname\":\"sensu-node-dev\",\"pid\":749,\"level\":50,\"err\":{\"message\":\"Cannot find module 'lol'\",\"name\":\"Error\",\"stack\":\"Error: Cannot find module 'lol'\\n at Function.Module._resolveFilename (module.js:339:15)\\n at Function.Module._load (module.js:290:25)\\n at Module.require (module.js:367:17)\\n at require (internal/module.js:16:19)\\n at Object.<anonymous> (/srv/www/dev.site/app.js:27:6)\\n at next (native)\\n at Object.<anonymous> (/srv/www/dev.site/node_modules/koa-compose/index.js:29:5)\\n at next (native)\\n at onFulfilled (/srv/www/dev.site/node_modules/co/index.js:65:19)\\n at /srv/www/dev.site/node_modules/co/index.js:54:5\",\"code\":\"MODULE_NOT_FOUND\"},\"msg\":\"Cannot find module 'lol'\",\"time\":\"2016-02-26T15:59:25.688Z\",\"v\":0}" 
} 

sensu-node-dev取來自原始日誌中的host字段。 text字段包含原始日誌中的message字段所具有的內容。感覺這應該是一項微不足道的任務。

我一直在尋找grok，它不是初學者友好的！我不確定這是應該在篩選器還是在logstash .conf文件的輸出中完成？

Answer 1

你可以做一個新的領域，即使使用的值從其他領域：

mutate { 
    add_field => { "title" => "error message from host %{host}" } 
} 

你也許可以重命名等領域，以使他們在那裏你想要的：

mutate { 
    rename => { "name" => "[text][name]" } 
} 

如果有你不想要的剩餘字段，你可以使用mutate-> remove_field。