我有以下日志存储配置
mutate {
add_field => {
"alert_message" => "%{[message]}"
}}
它创建一个elasticsearch索引,其中包含一个字段“alert\u message”,如下所示,这是一个嵌套字典。
"alert_message" : "{\"@timestamp\":\"2020-09-04T18:04:24.490Z\",\"@metadata\":{\"beat\":\"filebeat\",\"type\":\"_doc\",\"version\":\"7.4.2\",\"topic\":\"oracle_test_log_alert\"},\"ecs\":{\"version\":\"1.1.0\"},\"log\":{\"offset\":590474284,\"file\":{\"path\":\"/u00/app/oracle/diag/rdbms/dwprdp/DWPRD2/trace/alert_DWPRD2.log\"}},\"message\":\"Fri Sep 04 18:04:23 2020\",\"input\":{\"type\":\"log\"},\"timezone\":\"GMT\",\"host\":{\"name\":\"db012.sjc2\"},\"agent\":{\"type\":\"filebeat\",\"ephemeral_id\":\"40a80279-be28-42d1-904c-7f3b8b1bfa7a\",\"hostname\":\"db012.sjc2\",\"id\":\"16b25f53-cde6-4e25-a846-9afe4b5ccaa5\",\"version\":\"7.4.2\"}}\n{\"@timestamp\":\"2020-09-04T18:05:19.492Z\",\"@metadata\":{\"beat\":\"filebeat\",\"type\":\"_doc\",\"version\":\"7.4.2\",\"topic\":\"oracle_test_log_alert\"},\"input\":{\"type\":\"log\"},\"timezone\":\"GMT\",\"ecs\":{\"version\":\"1.1.0\"},\"host\":{\"name\":\"db012.sjc2\"},\"agent\":{\"type\":\"filebeat\",\"ephemeral_id\":\"40a80279-be28-42d1-904c-7f3b8b1bfa7a\",\"hostname\":\"db012.sjc2\",\"id\":\"16b25f53-cde6-4e25-a846-9afe4b5ccaa5\",\"version\":\"7.4.2\"},\"message\":\"Thread 2 advanced to log sequence 2035566 (LGWR switch)\",\"log\":{\"file\":{\"path\":\"/u00/app/oracle/diag/rdbms/dwprdp/DWPRD2/trace/alert_DWPRD2.log\"},\"offset\":590474469}}",现在我只希望“message”键的值成为elasticsearch索引中“alert\u message”的内容。我在日志文件中尝试了[message][message](字典的键)。
mutate {
add_field => {
"alert_message" => "%{[message][message]}"
}}
但当我这样做时,它不是只打印消息键的值,而是打印我在logstash配置文件中提到的内容,如下所示。。。
"alert_message" : "%{[message][message]}", --> ( here )
"@timestamp" : "2020-09-04T18:17:15.696Z",请帮我修一下
暂无答案!
目前还没有任何答案,快来回答吧!