Warning: file_get_contents(/data/phpspider/zhask/data//catemap/4/json/15.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Logstash无法提取json密钥_Json_Logstash_Elastic Stack_Logstash Configuration - Fatal编程技术网
Fatal编程技术网
  • json/
  • Logstash无法提取json密钥

Logstash无法提取json密钥

json logstash

Logstash无法提取json密钥,json,logstash,elastic-stack,logstash-configuration,Json,Logstash,Elastic Stack,Logstash Configuration,我需要有关logstash筛选器的帮助,以将json键/值提取到新的_字段。以下是我的日志存储配置 input { tcp { port => 5044 } } filter { json { source => "message" add_field => { "data" => "%{[message][data]}" } } } output

我需要有关logstash筛选器的帮助,以将json键/值提取到新的_字段。以下是我的日志存储配置

input {
    tcp {
        port => 5044
    }
}

filter {
    json {
        source => "message"
        add_field => {
            "data" => "%{[message][data]}"
        }
    }
}

output {
        stdout { codec => rubydebug }
}
我试过使用mutate:

filter {
    json {
        source => "message"
    }
    mutate {
        add_field => {
            "data" => "%{[message][data]}"
        }
    }
}
我试过了。而不是[]:

filter {
    json {
        source => "message"
    }
    mutate {
        add_field => {
            "data" => "%{message.data}"
        }
    }
}
我已尝试使用索引编号:

filter {
    json {
        source => "message"
    }
    mutate {
        add_field => {
            "data" => "%{[message][0]}"
        }
    }
}
一切都没有运气:(

将以下json发送到端口5044:

{"data": "blablabla"}
问题是新字段无法从json的键中提取值。
“数据”=>“%{[message][data]}”

以下是我的标准:

{
           "@version" => "1",
               "host" => "localhost",
               "type" => "logstash",
               "data" => "%{[message][data]}",
               "path" => "/path/from/my/app",
         "@timestamp" => 2019-01-11T20:39:10.845Z,
            "message" => "{\"data\": \"blablabla\"}"
}
但是,如果我使用“数据”=>“%{[message]}”

filter {
    json {
        source => "message"
        add_field => {
            "data" => "%{[message]}"
        }
    }
}
我将从stdout获取整个json

{
           "@version" => "1",
               "host" => "localhost",
               "type" => "logstash",
               "data" => "{\"data\": \"blablabla\"}",
               "path" => "/path/from/my/app",
         "@timestamp" => 2019-01-11T20:39:10.845Z,
            "message" => "{\"data\": \"blablabla\"}"
}
谁能告诉我我做错了什么。
先谢谢你。

我使用docker elk stack,elk_VERSION=6.5.4

add_field
用于在筛选成功时添加自定义逻辑,许多筛选都有此选项。如果要将json解析为字段,应使用:

add_field
用于在筛选成功时添加自定义逻辑,许多筛选都有此选项。如果要将json解析为字段,应使用:

我做了同样的事情并且成功了。无论如何谢谢你的回答。我做了同样的事情并且成功了。无论如何谢谢你的回答。 
filter {
  json {
    source => "message"
    target => "data"  // parse into data field
  }
}