Warning: file_get_contents(/data/phpspider/zhask/data//catemap/8/variables/2.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Logstash:根据某些条件重命名嵌套字段_Logstash - Fatal编程技术网
Fatal编程技术网
  • logstash/
  • Logstash:根据某些条件重命名嵌套字段

Logstash:根据某些条件重命名嵌套字段

logstash

Logstash:根据某些条件重命名嵌套字段,logstash,Logstash,迁移到Amazonelasticsearch时,我正在尝试重命名Elasticsearch中的嵌套字段 在文档中,我想更改 1.如果值字段具有JSON类型。将值字段更改为值关键字,并删除“值空白”和“值标准”(如果存在) 2.如果值字段的大小大于15。将值字段更改为值标准 "_source": { "applicationid" : "appid", "interactionId": "716bf006-7280-44ea-a52f-c79da36af1

迁移到Amazonelasticsearch时,我正在尝试重命名Elasticsearch中的嵌套字段

在文档中,我想更改

1.如果字段具有JSON类型。将字段更改为值关键字,并删除“值空白”和“值标准”(如果存在)

2.如果值字段的大小大于15。将字段更改为值标准

 "_source": {
          "applicationid" : "appid",
          "interactionId": "716bf006-7280-44ea-a52f-c79da36af1c5",
          "interactionInfo": [
            {
              "value": """{"edited":false}""",
              "value-standard": """{"edited":false}""",
              "value-whitespace" :  """{"edited":false}"""
              "title": "msgMeta"
            },
            {
              "title": "msg",
              "value": "hello testing",
            },
            {
              "title": "testing",
              "value": "I have a text that can be done and changed only the size exist more than 20 so we applied value-standard ",
            }
          ],
          "uniqueIdentifier": "a21ed89c-b634-4c7f-ca2c-8be6f31ae7b3",
        }
      }
最终结果应该是

 "_source": {
          "applicationid" : "appid",
          "interactionId": "716bf006-7280-44ea-a52f-c79da36af1c5",
          "interactionInfo": [
            {
              "value-keyword": """{"edited":false}""",
              "title": "msgMeta"
            },
            {
              "title": "msg",
              "value": "hello testing",
            },
            {
              "title": "testing",
              "value-standard": "I have a text that can be done and changed only the size exist more than 20 and so we applied value-standard  ",
            }
          ],
          "uniqueIdentifier": "a21ed89c-b634-4c7f-ca2c-8be6f31ae7b3",
        }
      }
对于2),您可以这样做:

filter {
    if [_source][interactionInfo][2][value] =~ /.{15,15}/ {

        mutate {
            rename => ["[_source][interactionInfo][2][value]","[_source][interactionInfo][2][value-standard]"]
        }
    }
}
正则表达式
{15,15}
匹配任何长度为15个字符的字符串。如果字段长度小于15个字符,则正则表达式不匹配,并且不应用
mutate#rename

对于1),一种可能的解决方案是尝试使用json过滤器解析字段,如果没有
\u jsonparsefailure
标记,则重命名字段。

为此字段创建了解决方案。我在Logstash中使用了ruby过滤器来检查每个文档以及嵌套文档 这是ruby代码

require 'json'

def register(param)
end

def filter(event)
  infoarray = event.get("interactionInfo")
  infoarray.each {  |x|
      if x.include?"value"
         value = x["value"]
         if value.length > 15
           apply_only_keyword(x)
         end
       end
      if x.include?"value"
        value = x["value"]
         if validate_json(value)
           apply_only_keyword(x)
         end
       end
  }
event.set("interactionInfo",infoarray)
return [event]
end


def validate_json(value)
  if value.nil?
    return false
  end
  JSON.parse(value)
  return true
rescue JSON::ParserError => e
  return false
end

def apply_only_keyword(x)
  x["value-keyword"] = x["value"]
  x.delete("value")
  if x.include?"value-standard"
    x.delete("value-standard")
  end
  if x.include?"value-whitespace"
    x.delete("value-whitespace")
  end
end
这不适用于我们的情况。有时标题和值的顺序可能会有所不同。在某些情况下,我们可能有一个嵌套文档(标题和值),而在其他情况下,我们可能有多个嵌套文档(标题和值),那么您可能必须使用
ruby
过滤器,并在代码中执行此操作。或者删除专门构建的应用程序的日志存储。将尝试使用ruby筛选器。故意丢木头意味着你没被抓到