0

我在一个数组中有 Json 日志,如下所示:

e":[{"n":"3/0/1","st":"CONTENT","v":"Sensortag"},
    {"n":"3/0/3","st":"CONTENT","v":"Contiki-develop-20150508-409-g2147b9e"},
    {"n":"3/0/13","st":"CONTENT","v":"1970-01-09T21:02:18Z"},
    {"n":"3301/0/5700","st":"CONTENT","v":"376.64"},
    {"n":"3303/0/5700","st":"CONTENT","v":"22.843"},
    {"n":"3304/0/5700","st":"CONTENT","v":"63.53"},
    {"n":"3315/0/5700","st":"CONTENT","v":"1000.34"}]

我想从数组中删除前 3 个元素,并使用过滤器保留最后 4 个元素。

我有这个作为我的过滤器:

filter {

   if ([type] == "testbed"){

           if [MessageParserJson][e[{}] in [MessageParserJson]{
                   mutate {
                           remove_field => ["[MessageparserJson][e[{0}]]" , "[MessageparserJson][e[{1}]]" , "[MessageParserJson][e[{2}]]"]
                           add_field => { "[MessageParserJson][e[{3}]]" => "MessageParser" }
                           add_field => { "[MessageParserJson][e[{4}]]" => "MessageParser" }

                           add_field => { "[MessageParserJson][e[{5}]]" => "MessageParser" }
                           add_field => { "[MessageParserJson][e[{6}]]" => "MessageParser" }
                            }
                           }

                   drop {
                           remove_field => ["MessageParserJson"]
                           }

 }
}

但是 Logstash 让自己陷入了错误

4

1 回答 1

0

您可以为此使用 Ruby 过滤器,例如删除应该起作用的前三个元素:

filter {
    ruby { 
        code => "event['MessageParserJson'].slice!(0,3)"
    }
}

干杯

于 2015-11-18T08:00:40.697 回答