json#U格式化程序出现Logstash问题[Logstash::json::ParserError:意外字符(';-';(代码45)):应使用逗号分隔数组项]
我在通过logstash转换值时遇到问题,我找不到解决方案。它似乎与日期有关json#U格式化程序出现Logstash问题[Logstash::json::ParserError:意外字符(';-';(代码45)):应使用逗号分隔数组项],logstash,Logstash,我在通过logstash转换值时遇到问题,我找不到解决方案。它似乎与日期有关 #Log line [2017-08-15 12:30:17] api.INFO: {"sessionId":"a216925---ff5992be7520924ff25992be75209c7","action":"processed","time":1502789417,"type":"bookingProcess","page":"order"} [] [] 日志存储配置 filter { if
#Log line
[2017-08-15 12:30:17] api.INFO: {"sessionId":"a216925---ff5992be7520924ff25992be75209c7","action":"processed","time":1502789417,"type":"bookingProcess","page":"order"} [] []
日志存储配置
filter {
if [type] == "api-prod-log" {
grok {
match => {"message" => "\[%{TIMESTAMP_ISO8601:timestamp}\] %{WORD:module}.%{WORD:level}: (?<log_message>.*) \[\] \[\]" }
add_field => [ "received_from", "%{host}" ]
}
json {
source => "log_message"
target => "flightSearchRequest"
remove_field=>["log_message"]
}
date {
match => [ "timestamp", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Asia/Jerusalem"
}
}
}
过滤器{
如果[type]=“api生产日志”{
格罗克{
match=>{“message”=>“\[%{TIMESTAMP\u ISO8601:TIMESTAMP}\]%{WORD:module}.%{WORD:level}:(?.*)\[\]\[\]”}
add_field=>[“从”、“%{host}”接收的_]
}
json{
source=>“日志消息”
目标=>“flightSearchRequest”
删除\字段=>[“日志\消息”]
}
日期{
匹配=>[“时间戳”,“YYYY-MM-dd HH:MM:ss”]
时区=>“亚洲/耶路撒冷”
}
}
}
有什么想法吗
谢谢您使用的是什么版本的Logstash? 在Logstash 5.2.2上使用以下Logstash配置:
input {
stdin{}
}
filter {
grok {
match => {"message" => '\[%{TIMESTAMP_ISO8601:timestamp}\] %{WORD:module}.%{WORD:level}: (?<log_message>.*) \[\] \[\]' }
}
json {
source => "log_message"
target => "flightSearchRequest"
remove_field=>["log_message"]
}
date {
match => [ "timestamp", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Asia/Jerusalem"
}
}
output{
stdout {codec => "rubydebug"}
}
我刚开始删除了“type”的检查,你能测试一下这是否会影响结果吗
{
"@timestamp" => 2017-08-15T09:30:17.000Z,
"flightSearchRequest" => {
"action" => "processed",
"sessionId" => "a216925---ff5992be7520924ff25992be75209c7",
"time" => 1502789417,
"page" => "order",
"type" => "bookingProcess"
},
"level" => "INFO",
"module" => "api",
"@version" => "1",
"message" => "[2017-08-15 12:30:17] api.INFO: {\"sessionId\":\"a216925---ff5992be7520924ff25992be75209c7\",\"action\":\"processed\",\"time\":1502789417,\"type\":\"bookingProcess\",\"page\":\"order\"} [] []",
"timestamp" => "2017-08-15 12:30:17"
}