如何在logstash中为json格式的嵌套文件编写筛选器部分_Json_Logstash_Logstash Grok

如何在logstash中为json格式的嵌套文件编写筛选器部分

json logstash

如何在logstash中为json格式的嵌套文件编写筛选器部分,json,logstash,logstash-grok,Json,Logstash,Logstash Grok,我有下面的日志文件 { "level":"error", "msg":"err:ERR_AUTH_PORTAL_USER,tenantid:7,reason:out of access period,code:EP05,username:Che,venueid:10,devicemac:##-##-##-##-##-##,apmac:##-##-##-##-##-##,ssid:Jetwig,timestamp:Jan 22 2018 09:05:31 UTC", "ti

我有下面的日志文件

{
    "level":"error",
    "msg":"err:ERR_AUTH_PORTAL_USER,tenantid:7,reason:out of access period,code:EP05,username:Che,venueid:10,devicemac:##-##-##-##-##-##,apmac:##-##-##-##-##-##,ssid:Jetwig,timestamp:Jan 22 2018 09:05:31 UTC",
    "time":"2018-01-22T14:35:31+05:30"
}

我想使用logstash grok筛选器根据msg:

err:err\u AUTH\u PORTAL\u USER

对它们进行筛选。我该怎么做

这就是我迄今为止所尝试的：

input {
    file {
        type => vampserror
        path => "/home/ampsErrorLog/getError/*"
                start_position => "beginning"
        }
}

filter {
    grok {
        patterns_dir => ["./patterns"] 
        match => {  "message" => "%{LOGLEVEL:level} %{MESSAGE:msg} %{TIMESTAMP:timestamp}" }
    }
}

if "ERR_AUTH_PORTAL_USER" in [msg] {

}

output {
    stdout { codec => rubydebug }
}

将其添加到您的conf文件中

 mongodb {
    collection => "error"
    database => "dev"
    uri => "mongodb://localhost:27017"
    isodate => true

     }

是可选的

 mongodb {
    collection => "error"
    database => "dev"
    uri => "mongodb://localhost:27017"
    isodate => true

     }