• logstash解析嵌套json格式数据

    logstash解析嵌套json格式数据

    1、源文件

      1.原日志文件为

    2019-10-28 09:49:44:947 [http-nio-8080-exec-23] INFO  [siftLog][qewrw123ffwer2323fdsafd] - logTime:2019-10-28 09:49:25.833-receiveTime:2019-10-28 09:49:44.044-{"area":"","frontInitTime":0,"initiatePaymentMode":"plugin_manual","network":"电信","os":"Microsoft Windows 7","payStatus":"1","reqs":[{"curlCode":"0","end":"2019-10-28 09:49:25.233","errorCode":"","errorDesc":"","totalTime":2153}],"settleAccountsTime":0}

      在这里我们需要先把json前面一段的正则写出来,由于这些数据在实际生产没什么实际意义,所以没重点分字段

      DATETIME %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?
           ACCESSLOG %{DATETIME:logTime} [%{DATA:threadName}] %{DATA:loglevel}  [%{DATA:logType}][%{DATA:appId}] - logTime:%{DATETIME:logTime2}-receiveTime:%{DATETIME:receiveTime}-%{GREEDYDATA:jsonMsg}

      这个文件json中间还嵌套了一个json,所以需要把里面嵌套的json在拿出来解析,故logstash配置文件应该写成   

    input {
  kafka {
    #bootstrap_servers => "kafka-service.ops:9092"
    bootstrap_servers => "172.27.27.220:9092,172.27.27.221:9092,172.27.27.222:9092"
    topics => ["test-grok"]
    codec => "json"
    type => "test-grok"
  }
}

filter {
  if [type] == "test-grok" {
    grok {
        patterns_dir => [ "/opt/appl/logstash/patterns" ]
        match => { "message" => "%{ACCESSLOG}" }
    }
    mutate {
      gsub => [ "jsonMsg","[","" ]
      gsub => [ "jsonMsg","]","" ]
    }
    json {
      source => "jsonMsg"
    }
    mutate {
      add_field => { "reqs_json" => "%{reqs}" }
    }
    json {
      source => "reqs_json"
      remove_field => ["reqs","reqs_json","message","jsonMsg"]
    }
  }

  ruby {
    code => "event.timestamp.time.localtime"
  }

}

output {
  elasticsearch {
    hosts => ["172.27.27.220:9200","172.27.27.221:9200","172.27.27.222:9200"]
    index => "logstash-test-grok-%{+YYYY.MM.dd}"
    template_overwrite => true
  }
}

      

      2.原日志文件为  

    [2019-10-28 10:01:01.169] [Thread-13086] INFO  [192.168.2.1, 192.168.1.1, 192.168.1.2_1572_smallTrade] [INTERFACE] - [HTTP] [request] - {"latitude":"","cardCode":"","memberCouponNo":"","transAmount":"900","hbFqNum":"","confirmCode":"9357","couponAmount":"","lastCost":"2360","memberMobile":"","timestamp":"1572228060000","longitude":""}

      日志只需要取到有lastCost这个关键字的,所以filebeat配置应该为  

    - type: log
  enabled: true
  paths:
    - /opt/appl/tomcat/logs/test/test.log
  include_lines: ['.*lastCost.*']
  tail_files: true
  fields:
    type: interface
    log_module: test-interface
output.kafka:
  enabled: true
  hosts: ["172.27.27.220:9092,172.27.27.221:9092,172.27.27.222:9092"]
  topic: '%{[fields][type]}'

      

      由于研发同事把客户端的IP加到了第一个第四个字段的第一个IP,所以要把这个IP单独拿出来分析

      DATETIME %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?

      

    input {
       kafka {
         bootstrap_servers => "172.27.27.220:9092,172.27.27.221:9092,172.27.27.222:9092"
         topics => ["interface"]
         codec => "json"
         type => "test-interface"
       }
}

filter {
        if [type] == "test-interface" {
                grok {
                        patterns_dir => [ "/opt/logstash/patters" ]
                        match => { "message" => "[%{DATETIME:log_timestamp}] [%{DATA:ThreadName}] %{LOGLEVEL:logLevel}  [%{DATA:IP}] [%{DATA:InterfaceTag}] - [%{DATA:Protocol}] [%{DATA:LogType}] - %{GREEDYDATA:jsonMsg2}" }
                }
                json {
                        source => "jsonMsg2"
                        remove_field => [ "jsonMsg2","message" ]
                }
                mutate {
                        convert => [ "lastCost","float" ]
                        split => ["IP",", "]
                        add_field => { "clientIp" => "%{[IP][0]}" }
                        add_field => { "proxyIp" => "%{[IP][1]}" }
                        add_field => { "time" => "%{[IP][2]}" }
                }
                geoip {
                        source => "clientIp"
                        #database => "/opt/logstash-interface/Geoip/GeoLite2-City_20191022/GeoLite2-City.mmdb"
                }
                }
                ruby {
                code => "event.timestamp.time.localtime"
                }
}

output {
	elasticsearch {
		hosts => ["172.27.27.220:9200","172.27.27.221:9200","172.27.27.222:9200"]
		index => "logstash-test-interface-%{+YYYY.MM.dd}"
		template_overwrite => true
	}
}

      
  • 相关阅读:
    监控视频长度压缩算法
    获取客户端IP
    常用API接口签名验证参考
    .NET发布的程序代码防止反编译
    SQL Server 获取日期时间并格式化
    SQL Server2008R2可疑状态恢复
    限制网站报错信息暴露在外(客户端可以查看到)
    发布网站时线上网站务必把debug设置false
    IIS上的项目网站关闭Http请求中的Trace和OPTIONS
    使用uploadify上传大文件报 IO error #2038错误的解决方案
  • 原文地址:https://www.cnblogs.com/jcici/p/11750690.html
Copyright © 2020-2023  润新知