如何在logstash/kibana中添加自定义字段? [英] How do I add a custom field to logstash/kibana?

问题描述

我正在使用 python-logstash 来写入logstash.它提供了添加其他字段的选项，但是问题是所有字段都在 message 字段下.我要完成的工作是在更高级别上添加一个新字段.

I am using python-logstash in order to write to logstash. It offers the option to add extra fields but problem is that all fields are under the message field. What I want to accomplish is adding a new field at the higher level.

我从 logstash.config 中找到了执行此操作的选项(使用 ruby​​ / grok / mutate 插件)，但该解决方案不是可扩展的解决方案(必须为每个计算机实例进行配置)

I found the option to do that from the logstash.config (using ruby/grok/mutate plugins) but this solution is not a scalable one (Would have to configure for every machine instance)

类似的东西:

logger.info('my message')

在Kibana中，我将看到:

And in Kibana I will see:

{
'@timestamp': ...
...
...
'message': 'my message'
'new_field' : 'new_field_value'
}

我该怎么做?

谢谢.

推荐答案

通过阅读python-logstash文档，他们引用了额外"字段，并说他们向logstash消息中添加了额外字段"，这似乎与您所要想要！

From reading the python-logstash documentation, they refer to "extra" fields and say they "add extra fields to logstash message", which seems like exactly what you want!

# add extra field to logstash message 
extra = {
    'test_string': 'python version: ' + repr(sys.version_info),
    'test_boolean': True,
    'test_dict': {'a': 1, 'b': 'c'},
    'test_float': 1.23,
    'test_integer': 123,
    'test_list': [1, 2, '3'], 
}
test_logger.info('python-logstash: test extra fields', extra=extra)

然后确保在logstash输入块中具有"json"编解码器，如下所示:

And then ensure that you have the "json" codec in the logstash input block like this:

input {
  udp {
    port => 5959
    codec => json
  }
}

编辑:我使用示例脚本对此进行了测试，并获得以下Logstash输出:

EDIT: I tested this with the sample script and get the following Logstash output:

{
            "host" => "xxx",
            "path" => "pylog.py",
      "test_float" => 1.23,
            "type" => "logstash",
            "tags" => [],
       "test_list" => [
        [0] 1,
        [1] 2,
        [2] "3"
    ],
    "test_boolean" => true,
           "level" => "INFO",
      "stack_info" => nil,
         "message" => "python-logstash: test extra fields",
      "@timestamp" => "2016-09-25T15:23:58.259Z",
       "test_dict" => {
        "a" => 1,
        "b" => "c"
    },
     "test_string" => "python version: sys.version_info(major=3, minor=5, micro=1, releaselevel='final', serial=0)",
        "@version" => "1",
    "test_integer" => 123,
     "logger_name" => "python-logstash-logger"
}

所有添加的额外字段都与消息字段显示在同一级别.它们不会添加到消息"内部对象中.

All of the extra fields added show at the same level as the message field. They are not added to the 'message' inner-object.

这篇关于如何在logstash/kibana中添加自定义字段?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！