2

我有一个 nginx 日志文件,看起来类似于这个:

{ "@timestamp": "2013-09-03T14:21:51-04:00", "@fields": { "remote_addr": "xxxxxxxxxxxx", "remote_user": "-", "body_bytes_sent": "5", "request_time": "0.000", "status": "200", "request": "POST foo/bar/1 HTTP/1.1", "request_body": "{\x22id\x22: \x22460\x22, \x22source_id\x22: \x221\x22, \x22email_address\x22: \x22foo@bar.com\x22, \x22password\x22: \x2JQ6I\x22}", "request_method": "POST", "request_uri": "foo/bar/1", "http_referrer": "-", "http_user_agent": "Java/1.6.0_27" } }

我想知道是否可以使用logstash过滤器发送类似于以下内容的日志:

{"@fields": { "request": "POST foo/bar/1 HTTP/1.1", "request_body": "{\x22id\x22: \x22460\x22, \x22source_id\x22: \x221\x22, \x22email_address\x22: \x22foo@bar.com\x22, \x22password\x22: \x2JQ6I\x22}"}

所以我只对整个日志中的几个领域感兴趣。

换句话说,我想从日志中提取必要的数据,然后将其发送到任何输出

4

1 回答 1

3

是的,如果您首先通过 json 过滤器,您可以这样做。然后你需要这样的东西:

filter {
  json {
    source => "message"
    add_tag => "json"
  }
  mutate {
    tags => [ "json" ]
    remove_field => [ "[@fields][remote_addr]", "[@fields][remote_user]", "[@fields][body_bytes_sent]", "[@fields][request_time]" ]
  }
}

我有一个与此类似的配置,适用于 1.2.0 版的 logstash。希望这可以帮助。

于 2013-09-07T02:45:55.160 回答