0

我们想使用 JSON Array 格式的 logstash 的 http 插件来实现服务请求跟踪。

尝试解析 JSON 数组时出现以下错误:

错误:

:message=>"gsub mutation is only applicable for Strings, skipping", :field=>"message", :value=>nil, :level=>:debug, :file=>"logstash/filters/mutate.rb", :line=>"322", :method=>"gsub"}
:message=>"Exception in filterworker", "exception"=>#<LogStash::ConfigurationError: Only String and Array types are splittable. field:message is of type = NilClass>

我的 json 数组是:

{
    "data": [
        {
            "appName": "DemoApp",
            "appVersion": "1.1",
            "deviceId": "1234567",
            "deviceName": "moto e",
            "deviceOSVersion": "5.1",
            "packageName": "com.DemoApp",
            "message": "testing null pointer exception",
            "errorLog": "null pointer exception"
        },
        {
            "appName": "DemoApp",
            "appVersion": "1.1",
            "deviceId": "1234567",
            "deviceName": "moto e",
            "deviceOSVersion": "5.1",
            "packageName": "com.DemoApp",
            "message": "testing illegal state exception",
            "errorLog": "illegal state exception"
        }
    ]
}

我的logstash配置是:

    input {
            http {
            codec => "plain"
            }
    }
    filter{
            json {
                  source => "message"
                 }
            mutate { gsub => [ "message", "},", "shr" ] }
            split {
                  terminator => "shr"
                  field => "data"
           }
    }
    }


output {
 stdout { codec => "json" }
    gelf{
        host => localhost
        facility => "%{type}"
        level =>["%{SeverityLevel}", "INFO"]
        codec => "json"
    }
       file{
        path => "/chroot/result.log"
}
}

任何帮助,将不胜感激。

4

1 回答 1

0

Logstash 有一个名为message的默认元数据字段。所以你的 jsonmessage字段是重叠的。考虑将json字段名称更改message为另一个。

另一个选项可能使用target设置和引用目标字段,例如:

json { source => "message" target => "data"}
mutate { gsub => [ "[data][message]", "\}\,\r\n\r\n\{", "\}shr\{" ] }

我希望这有帮助。

于 2017-02-06T12:41:08.590 回答