怎麼取得 json 的 值呢?
filter {
if [type] == "my_report_text" {
json {
source => "message"
}
date {
match => ["server_timestamp", "UNIX"]
remove_field => ["server_timestamp"]
}
mutate {
remove_field => ["message","source","input_type","offset","count","fields"]
add_field => {
"gid" => "%{[text_v1][id]}"
}
}
if ![text_v1][id] {
drop {}
}
}
其實,只要使用 "%{[text_v1][id]}" 方式就可以了。
範例中的 message 內是 json string 下列有兩筆範例參考。
{"@timestamp":"2017-10-31T12:21:23.896Z","beat":{"hostname":"pccm","name":"pccm","version":"5.5.1"},"input_type":"log","message":"{\"server_ip\":\"172.19.0.5\",\"server_timestamp\":1509450155,\"uid\":813837017074237440,\"pid\":0,\"text_v1\":{\"feature\":1,\"content\":\"Cool\",\"platform\":0,\"country\":\"us\",\"app_version\":\"6.30\"}}","offset":630,"source":"/data/log/report_text.log","type":"my_report_text"}
{"@timestamp":"2017-10-31T12:21:23.896Z","beat":{"hostname":"pccm","name":"pccm","version":"5.5.1"},"input_type":"log","message":"{\"server_ip\":\"172.19.0.5\",\"server_timestamp\":1509450155,\"uid\":813837017074237440,\"pid\":0,\"text_v1\":{\"id\":\"AMX76rwXQ36inHnbYZL8BA\",\"feature\":1,\"content\":\"Cool\",\"platform\":0,\"country\":\"us\",\"app_version\":\"6.30\"}}","offset":630,"source":"/data/log/report_text.log","type":"my_report_text"}
沒有留言:
張貼留言