Fatal编程技术网
  • logstash/
  • json#U格式化程序出现Logstash问题[Logstash::json::ParserError:意外字符(';-';(代码45)):应使用逗号分隔数组项]

json#U格式化程序出现Logstash问题[Logstash::json::ParserError:意外字符(';-';(代码45)):应使用逗号分隔数组项]

logstash

json#U格式化程序出现Logstash问题[Logstash::json::ParserError:意外字符(';-';(代码45)):应使用逗号分隔数组项],logstash,Logstash,我在通过logstash转换值时遇到问题,我找不到解决方案。它似乎与日期有关 #Log line [2017-08-15 12:30:17] api.INFO: {"sessionId":"a216925---ff5992be7520924ff25992be75209c7","action":"processed","time":1502789417,"type":"bookingProcess","page":"order"} [] [] 日志存储配置 filter { if

我在通过logstash转换值时遇到问题,我找不到解决方案。它似乎与日期有关

#Log line
[2017-08-15 12:30:17] api.INFO: {"sessionId":"a216925---ff5992be7520924ff25992be75209c7","action":"processed","time":1502789417,"type":"bookingProcess","page":"order"} [] []
日志存储配置

filter {
        if [type] == "api-prod-log" {
                grok {
                        match => {"message" => "\[%{TIMESTAMP_ISO8601:timestamp}\] %{WORD:module}.%{WORD:level}: (?<log_message>.*) \[\] \[\]" }
                        add_field => [ "received_from", "%{host}" ]
                }
                json {
                    source => "log_message"
                    target => "flightSearchRequest"
                    remove_field=>["log_message"]
                }
                date {
                        match => [ "timestamp", "YYYY-MM-dd HH:mm:ss" ]
                        timezone => "Asia/Jerusalem"
                }
        }
}

过滤器{
如果[type]=“api生产日志”{
格罗克{
match=>{“message”=>“\[%{TIMESTAMP\u ISO8601:TIMESTAMP}\]%{WORD:module}.%{WORD:level}:(?.*)\[\]\[\]”}
add_field=>[“从”、“%{host}”接收的_]
}
json{
source=>“日志消息”
目标=>“flightSearchRequest”
删除\字段=>[“日志\消息”]
}
日期{
匹配=>[“时间戳”,“YYYY-MM-dd HH:MM:ss”]
时区=>“亚洲/耶路撒冷”
}
}
}
有什么想法吗

谢谢

您使用的是什么版本的Logstash? 在Logstash 5.2.2上使用以下Logstash配置:

input {
    stdin{}
}

filter {
    grok {
        match => {"message" => '\[%{TIMESTAMP_ISO8601:timestamp}\] %{WORD:module}.%{WORD:level}: (?<log_message>.*) \[\] \[\]' }
    }
    json {
        source => "log_message"
        target => "flightSearchRequest"
        remove_field=>["log_message"]
    }
    date {
        match => [ "timestamp", "YYYY-MM-dd HH:mm:ss" ]
        timezone => "Asia/Jerusalem"
    }
}

output{
    stdout {codec => "rubydebug"}
}
我刚开始删除了“type”的检查,你能测试一下这是否会影响结果吗

{
             "@timestamp" => 2017-08-15T09:30:17.000Z,
    "flightSearchRequest" => {
           "action" => "processed",
        "sessionId" => "a216925---ff5992be7520924ff25992be75209c7",
             "time" => 1502789417,
             "page" => "order",
             "type" => "bookingProcess"
    },
                  "level" => "INFO",
                 "module" => "api",
               "@version" => "1",
                "message" => "[2017-08-15 12:30:17] api.INFO: {\"sessionId\":\"a216925---ff5992be7520924ff25992be75209c7\",\"action\":\"processed\",\"time\":1502789417,\"type\":\"bookingProcess\",\"page\":\"order\"} [] []",
              "timestamp" => "2017-08-15 12:30:17"
}