Logstash mutate从json添加所有字段 [英] Logstash mutate add all fields from json

问题描述

我正在使用Logstash插件(logstash-input-rethinkdb).该插件获取数据库中的所有编辑内容，并输出一个包含以下结构的json对象:

I am using a Logstash plugin (logstash-input-rethinkdb). This plugin grabs all the edits in the database and outputs an json object containing the following structure:

{
      "db":"itjobs",
      "table":"countries", 
      "old_val":null,
      "new_val":{
           "code":"USA3",
           "country":"USA3",
           "id":"7c8c9e4e-aa37-48f1-82a5d624cde4a3a0"
      },
      "@version":"1",
      "@timestamp":"2016-12-19T19:54:08.263Z"
 }

我将此文档插入elasticsearch中.
但是问题在于，在弹性中，我使用-> new_val:{code:''}

I insert this doc in elasticsearch.
But the problem is that in elastic i get the same structure with -> new_val:{code:''}

我需要做一个过滤器或将要从 new_val 中提取所有内容并将其添加到根中的操作

I need to do a filter or something that will extract everything from new_val and add it to the root

我尝试了过滤器 json ，但这得到了 string ，并且插件已经输出json

I tried the filter json but this get a string and the plugin already outputs json

编辑后，我需要它看起来像:

After edit i need it to look like:

{
      "db":"itjobs",
      "table":"countries", 
      "code":"USA3",
      "country":"USA3",
      "id":"7c8c9e4e-aa37-48f1-82a5d624cde4a3a0"
      "@version":"1",
      "@timestamp":"2016-12-19T19:54:08.263Z"
 }

推荐答案

您可以使用ruby过滤器:

You can use the ruby filter:

filter {
    ruby {
        code => "
            event['new_val'].each {|k, v|
                event[k] = v
            }
            event.remove('new_val')
        "
    }
}

使用Logstash 2.2进行了测试，对于版本5+，它应该有所不同.

Tested with Logstash 2.2, it should be different for version 5+.

这篇关于Logstash mutate从json添加所有字段的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！