Can';使用logstash将.log解析为.json
我是日志库的新手,正在尝试将.log文件解析为.json 在输出文件中有“标记”:[“\u grokparsefailure”]和“message”:包含所有xml文件 日志文件:Can';使用logstash将.log解析为.json,json,xml,logstash,Json,Xml,Logstash,我是日志库的新手,正在尝试将.log文件解析为.json 在输出文件中有“标记”:[“\u grokparsefailure”]和“message”:包含所有xml文件 日志文件: 2019-01-18 14:03:07,666 - Request - ..................... - http://......................................................................................... -
2019-01-18 14:03:07,666 - Request - ..................... - http://......................................................................................... - getOpenInvoices -
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://....................................................................." xmlns:types="http://............................................................................................" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<tns:getOpenInvoices>
<invoiceQueryOpenRequest href="#id1" />
</tns:getOpenInvoices>
<q1:InvoiceQueryOpenRequest id="id1" xsi:type="q1:InvoiceQueryOpenRequest" xmlns:q1="java:com.....................collgw.model.invoice">
<bankId xsi:type="xsd:int">23</bankId>
<compId xsi:type="xsd:int">533</compId>
<curr xsi:type="xsd:string">949</curr>
<custId xsi:nil="true" />
<invCount xsi:type="xsd:int">5</invCount>
<msgDate xsi:nil="true" />
<msisdn xsi:type="xsd:long">123456789</msisdn>
<orig xsi:nil="true" />
<period xsi:type="xsd:string">201901</period>
<procDate xsi:nil="true" />
<procTime xsi:nil="true" />
<sessionId xsi:type="xsd:string">.............</sessionId>
<stan xsi:type="xsd:long">0</stan>
</q1:InvoiceQueryOpenRequest>
</soap:Body>
</soap:Envelope>
问题可能是过滤器问题。BankId或compId密钥,全部在消息密钥中 您可以在
mutate
内部使用gsub
。
请查看下面的示例:
mutate { gsub => [ "message", "^[^<]+<", "<" ] } xml { source => "message" target => "theXML" store_xml => true }
filter {
mutate { gsub => [ "message", "^[^<]+<", "<" ] }
xml {
source => "message"
target => "theXML"
store_xml => true
xpath =>{
"//q1:InvoiceQueryOpenRequest/*[last()]" => "nvoiceQueryOpenRequest"
}
}
mutate {
remove_field => ["message",
"[theXML]"
]
}
}
mutate{gsub=>[“message”,“^[^为什么要使用grok筛选器?它没有用,因为此筛选器设置的两个字段都将被xml筛选器覆盖。
mutate { gsub => [ "message", "^[^<]+<", "<" ] } xml { source => "message" target => "theXML" store_xml => true }
filter {
mutate { gsub => [ "message", "^[^<]+<", "<" ] }
xml {
source => "message"
target => "theXML"
store_xml => true
xpath =>{
"//q1:InvoiceQueryOpenRequest/*[last()]" => "nvoiceQueryOpenRequest"
}
}
mutate {
remove_field => ["message",
"[theXML]"
]
}
}