我有一个像这样的json日志正在流式传输到ELK 中
{
"event": "Events Report",
"level": "info",
"logger": "XXXXX",
"method": "YYYYY",
"report_duration": {
"duration": "5 days, 12:43:16",
"end": "2021-12-13 03:43:16",
"start": "2021-12-07 15:00:00"
},
"request_type": "GET",
"rid": "xyz-123-yzfs",
"field_id": "arefer-e3-adfe93439",
"timestamp": "12/13/2021 03:43:53 AM",
"user": "8f444233ed4-91b8-4839-a57d-ande2534"
}
我想进一步分割持续时间值;5天,12:43:16";就像";天":"5〃;
我已经尝试使用下面的logstash过滤器,但它仍然不能工作
filter {
if "report_duration" in [reports]{
mutate {
split => { "duration" => " " }
add_field => { "days" => "%{[duration][0]}" }
convert => {
"days" => "integer"
}
}
}
}
我想我的配置符合您的要求:
# Since I wasn't sure of what you wanted, I changed the conditional here to check if the duration nested field is present
if [report_duration][duration]{
mutate {
# Since duration is nested under report_duration, it has to be accessed this way:
split => { "[report_duration][duration]" => " " }
# The split option replace the text field with an array, so it's still nested
add_field => { "days" => "%{[report_duration][duration][0]}" }
}
# the convert option is executed before the split option, so it has to be moved in its own plugin call
mutate {
convert => {
"days" => "integer"
}
}
}
一些参考:访问嵌套字段,更改过滤过程顺序