Logstash配置文件错误（Answer not working） [英] Logstash configuration file error(Answer not working)

问题描述

唯一确定[url] [queryString]的是它以404开头;或者键长。我需要删除这样的键。
如果我使用下面的红宝石代码，它不能将链接的hashmap转换为字符串异常。

The only thing that is certain about [url][queryString] is that it begins with 404; or that the key is long.I need to remove such keys. If I use the ruby code below it gives cannot convert linked hashmap to string exception.

input {
    file {
        # Wildcards work, here :)
        path => ["C:\Users\ppurush\Desktop\test\*.log"]
        start_position => "beginning"
    }
}

filter {
    ruby {
        code=>
        "
        require json
        my_hash = JSON.parse([url][queryString])
        my_hash.delete_if { |key,value| key.to_s.match(/^404;/) }
        "
    }
}

output {
    stdout{}
    elasticsearch {
       host => localhost
    }
}

推荐答案

你得到一个 ruby​​异常，因为你的ruby代码是无效的。尝试这样做：

You get a ruby exception because your ruby code is invalid. Try this instead:

filter {
    ruby {
        init => "require 'json'"
        code => "
            my_hash = JSON.parse( event['url']['queryString'] )
            my_hash.delete_if { |key,value| key.to_s.match(/^404;/) }
        "
    }
}

如果您的活动有'url'=> 'queryString'字段包含有效的json。您可能已经有了某种过滤器来实现这一点（例如神交）。您也可以考虑使用logstash内置的 json filter 也可以删除删除某些事件

This works if your event has a 'url' => 'queryString' field which contains valid json. You might already have some kind of filter to achieve this (e.g. grok). You might also consider using logstash's built-in json filter and maybe drop to delete certain events.

假设你的输入是简单的json （我不得不整理这个）：

Suppose your input is plain json (I had to tidy this up):

{"id":"val1","host":"val2","app":"val3","@timestamp":"2015-08-04T19:00:03.642932‌​2Z","@timestampEnd":"2015-08-04T19:00:03.6429322Z","vid":"val4","vidNew":"val5","se‌​ssionId":"val6","url":{"rawUrl":"val7","path":"val8","queryString":{"404;dfdgfdgf‌​ghfhjghhhhhhhhhhhhh":""}},"net":{"method":"GET","status":"200","size":"0","timeTa‌​kenMillis":"0"},"context":{"SearchType":""}}

您可以使用 codec =>您的文件输入中的json。

input {
    file {
        path => ["C:\Users\ppurush\Desktop\test\*.log"]
        start_position => "beginning"
        codec => "json"
    }
}

你会得到一个字段： p>

You will get a field:

"url" => {
         "rawUrl" => "val7",
           "path" => "val8",
    "queryString" => {
        "404;dfdgfdgf‌​ghfhjghhhhhhhhhhhhh" => ""
    }
}

所以 404; dfdgfdgf ghfhjghhhhhhhhhhhhhh 也是一个变量。要检查并删除事件，您可以执行以下操作：

So 404;dfdgfdgf‌​ghfhjghhhhhhhhhhhhh is a variable, too. To check for it and delete the event you could do something like this:

if [url][queryString][404;dfdgfdgf‌​ghfhjghhhhhhhhhhhhh] {
        drop {}
    }

这篇关于Logstash配置文件错误（Answer not working）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！