LogStash字符串消息解析为JSON格式
我正在尝试将日志消息解析为JSON格式 我在LogStash中输入了下一条JSON消息:LogStash字符串消息解析为JSON格式,logstash,logstash-configuration,Logstash,Logstash Configuration,我正在尝试将日志消息解析为JSON格式 我在LogStash中输入了下一条JSON消息: { ... field 1: xxx, message: "----------- SCAN SUMMARY -----------\nKnown viruses: 8520944\nEngine version: 0.102.4\nScanned directories: 408\nScanned files: 1688\nInfected files: 0\nT
{
...
field 1: xxx,
message: "----------- SCAN SUMMARY -----------\nKnown viruses: 8520944\nEngine version: 0.102.4\nScanned directories: 408\nScanned files: 1688\nInfected files: 0\nTotal errors: 50\nData scanned: 8.93 MB\nData read: 4.42 MB (ratio 2.02:1)\nTime: 22.052 sec (0 m 22 s)\n",
fieldX: ...
}
message:
{
known_viruses: 8520944,
engine_version: 0.102.4
scanned_directories: 408,
...
}
dissect {
mapping => {
"message" => "%{removeField}\n%{viruses}\n%{engine_version}"
}
}
您知道如何将消息字符串转换为有效的JSON格式吗?如果格式的顺序始终相同,您可以使用grok filter插件查看: 我认为模式可能会起作用,如果您想使用时间的数值作为秒,您可以稍微更改模式,以及文件大小…:
----------- SCAN SUMMARY -----------\nKnown viruses: %{NUMBER:known_viruses}\nEngine version: %{DATA:engine_version}\nScanned directories: %{NUMBER:scanned_directories}\nScanned files: %{NUMBER:scanned_files}\nInfected files: %{NUMBER:infected_files}\nTotal errors: %{NUMBER:total_errors}\nData scanned: %{DATA:data_scanned}\nData read: %{DATA:data_read}\nTime: %{DATA:time}\n
\n不需要跳过。请更新答案:)它可以与\n一起使用,而无需跳过它。如果你跳过它,它就不起作用了。更新了代码片段
ruby {
event["message"] = event["message"].split("\n")
}
----------- SCAN SUMMARY -----------\nKnown viruses: %{NUMBER:known_viruses}\nEngine version: %{DATA:engine_version}\nScanned directories: %{NUMBER:scanned_directories}\nScanned files: %{NUMBER:scanned_files}\nInfected files: %{NUMBER:infected_files}\nTotal errors: %{NUMBER:total_errors}\nData scanned: %{DATA:data_scanned}\nData read: %{DATA:data_read}\nTime: %{DATA:time}\n