Can'；使用logstash将.log解析为.json_Json_Xml_Logstash

Can'；使用logstash将.log解析为.json

json xml logstash

Can'；使用logstash将.log解析为.json,json,xml,logstash,Json,Xml,Logstash,我是日志库的新手，正在尝试将.log文件解析为.json 在输出文件中有“标记”：[“\u grokparsefailure”]和“message”：包含所有xml文件日志文件： 2019-01-18 14:03:07,666 - Request - ..................... - http://......................................................................................... -

我是日志库的新手，正在尝试将.log文件解析为.json 在输出文件中有“标记”：[“\u grokparsefailure”]和“message”：包含所有xml文件

日志文件：

2019-01-18 14:03:07,666 - Request - ..................... - http://......................................................................................... - getOpenInvoices - 
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://....................................................................." xmlns:types="http://............................................................................................" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
        <tns:getOpenInvoices>
            <invoiceQueryOpenRequest href="#id1" />
        </tns:getOpenInvoices>
        <q1:InvoiceQueryOpenRequest id="id1" xsi:type="q1:InvoiceQueryOpenRequest" xmlns:q1="java:com.....................collgw.model.invoice">
            <bankId xsi:type="xsd:int">23</bankId>
            <compId xsi:type="xsd:int">533</compId>
            <curr xsi:type="xsd:string">949</curr>
            <custId xsi:nil="true" />
            <invCount xsi:type="xsd:int">5</invCount>
            <msgDate xsi:nil="true" />
            <msisdn xsi:type="xsd:long">123456789</msisdn>
            <orig xsi:nil="true" />
            <period xsi:type="xsd:string">201901</period>
            <procDate xsi:nil="true" />
            <procTime xsi:nil="true" />
            <sessionId xsi:type="xsd:string">.............</sessionId>
            <stan xsi:type="xsd:long">0</stan>
        </q1:InvoiceQueryOpenRequest>
    </soap:Body>
</soap:Envelope>

问题可能是过滤器问题。BankId或compId密钥，全部在消息密钥中

您可以在

mutate

内部使用

gsub

。请查看下面的示例：

mutate { gsub => [ "message", "^[^<]+<", "<" ] } xml { source => "message" target => "theXML" store_xml => true } 
filter {

    mutate { gsub => [ "message", "^[^<]+<", "<" ] }
    xml {
        source => "message"
        target => "theXML"
        store_xml => true
        xpath =>{
                        "//q1:InvoiceQueryOpenRequest/*[last()]" => "nvoiceQueryOpenRequest"

                }
    }
    mutate {
      remove_field => ["message",
                       "[theXML]"
                      ]
    }

}

mutate{gsub=>[“message”，“^[^为什么要使用grok筛选器？它没有用，因为此筛选器设置的两个字段都将被xml筛选器覆盖。
mutate { gsub => [ "message", "^[^<]+<", "<" ] } xml { source => "message" target => "theXML" store_xml => true } 
filter {

    mutate { gsub => [ "message", "^[^<]+<", "<" ] }
    xml {
        source => "message"
        target => "theXML"
        store_xml => true
        xpath =>{
                        "//q1:InvoiceQueryOpenRequest/*[last()]" => "nvoiceQueryOpenRequest"

                }
    }
    mutate {
      remove_field => ["message",
                       "[theXML]"
                      ]
    }

}