原始文件记录一条是json
{
"event_time": 1507478407800,
"machine_key": "123123",
"user_id":"11850123",
"event": "Login",
"type": "track",
"lib": {
"lib_method": "code",
"lib_version": "3.0.0",
"lib_detail": "com.xx.core.loganalysis.LogSignService##loginLogAfter##LogSignService.java##385",
"lib": "Java"
},
"properties": {
"Login_result": true,
"is_login_id": true,
"LoginMode": "mobile",
"Platform_Type": "pc",
"ip": "27.18.224.222"
}
}
其中: lib, properties 列是不固定的
logstash 扁平化成:
{
"event_time": 1507478407800,
"machine_key": "123123",
"user_id":"11850123",
"event": "Login",
"type": "track",
"lib_method": "code",
"lib_version": "3.0.0",
"lib_detail": "com.xx.core.loganalysis.LogSignService##loginLogAfter##LogSignService.java##385",
"lib": "Java",
"Login_result": true,
"is_login_id": true,
"Platform_Type": "pc",
"ip": "27.18.224.222"
}
目前
input {
file {
path => ['/home/data/test/event.json']
start_position => "beginning"
codec => "json"
}
}
filter {
json {
source => "properties"
}
json {
source => "lib"
}
}
output {
stdout {
codec =>rubydebug
}
}
报错。各位大大有好的方法吗?
{
"event_time": 1507478407800,
"machine_key": "123123",
"user_id":"11850123",
"event": "Login",
"type": "track",
"lib": {
"lib_method": "code",
"lib_version": "3.0.0",
"lib_detail": "com.xx.core.loganalysis.LogSignService##loginLogAfter##LogSignService.java##385",
"lib": "Java"
},
"properties": {
"Login_result": true,
"is_login_id": true,
"LoginMode": "mobile",
"Platform_Type": "pc",
"ip": "27.18.224.222"
}
}
其中: lib, properties 列是不固定的
logstash 扁平化成:
{
"event_time": 1507478407800,
"machine_key": "123123",
"user_id":"11850123",
"event": "Login",
"type": "track",
"lib_method": "code",
"lib_version": "3.0.0",
"lib_detail": "com.xx.core.loganalysis.LogSignService##loginLogAfter##LogSignService.java##385",
"lib": "Java",
"Login_result": true,
"is_login_id": true,
"Platform_Type": "pc",
"ip": "27.18.224.222"
}
目前
input {
file {
path => ['/home/data/test/event.json']
start_position => "beginning"
codec => "json"
}
}
filter {
json {
source => "properties"
}
json {
source => "lib"
}
}
output {
stdout {
codec =>rubydebug
}
}
报错。各位大大有好的方法吗?
0 个回复