Logstash通過logstash只發送JSON

Question

IAM sendding此日誌

2017-02-27T13:00:07+01:00 test {"createdAt":"2017-02-27T13:00:07+0100","cluster":"undefined","nodeName":"undefined","nodeIP":"10.11.11.50","clientIP":"10.11.11.72","customerId":1,"identityId":332,"appType":"admin","eventGroup":"education","eventName":"insert","eventData":{"education_insert":{"type":"course","data":{"education_id":2055,"education":{"id":2055,"customer_id":1,"creator_id":332,"type":"course","status":"new","is_featured":false,"enroll_deadline":null,"complete_deadline":null,"count_view":0,"count_like":0,"meta_title":"test Course - progress","meta_description":"test Course - progress","discoverable":"everyone","progress_max":0,"instructor_ids":[332],"tag_ids":[135],"discoverable_group_ids":[],"category_ids":[14],"audits":null,"instructors":null,"creator":null,"lessonGroups":null,"categories":null},"duration":"quick"}}},"scopeType":"education","scopeId":"2055"} 

如何刪除2017-02-27T13:00:07+01:00和test.app.event

Answer 1

我用這一點，併爲我工作:) THX的幫助

input { kafka { bootstrap_servers=>"localhost:9092" topics=>"test"}} 
filter{ 
grok { 
    match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}\t%{GREEDYDATA:topic}\t%{GREEDYDATA:json}" } 
    } 
    json { 
    source => "json" 
    remove_field => ["timestamp","topic","json","message","@version","@timestamp","tags"] 
    } 
} 
output{ elasticsearch {hosts=>["127.0.0.1:9200"] document_type=>"app_stats" index=>"test"}} 

Answer 2

您需要使用grok提取消息的JSON部分，然後用json過濾器將提取的json轉換爲事件。最後，您需要使用mutate刪除您不想在最終事件中使用的任何字段（例如，message）。

Answer 3

你也許可以使用正則表達式模式，以便只得到json。該regex模式應該是你模式中文件：

的模式可能是這樣的：

REQUIREDDATA {([^}]*)}([^}]*)([^}]*)}}}([^}]*)} <-- this extracts only your json part 

這是測試的正則表達式pattern。

之後，你可以在你的神交內使用模式比賽：

grok { 
    patterns_dir => ["/pathto/patterns"] 
    match => { "message" => "^%{REQUIREDDATA:new}" }    
} 

現在的消息僅具有JSON部分來自你的日誌行，因此你可以通過logstash他們推到ES現在。以上只是一個示例，以便您可以重現。

希望它有幫助！