如何控制decode_json_fields级别?max_depth在我的情况下似乎没有帮助。
目标:解析'/var/lib/docker/containers//.log',但控制json的最大深度(不要在elasticsearch索引中生成数百个嵌套字段)
name: "host-01"
queue:
mem:
events: 16384
# batch of events to the outputs. "0" ensures events are immediately available to be sent to the outputs.
flush.min_events: 0
filebeat:
prospectors:
- type: log
paths:
- '/tmp/test.log'
json:
# key on which to apply the line filtering and multiline settings
message_key: log
keys_under_root: true
add_error_key: true
processors:
- decode_json_fields:
fields: ["log"]
process_array: false
max_depth: 1
overwrite_keys: false
output:
console:
pretty: true范例
echo '{"log":"{ "status": { "foo": { "bar": 1 } }, "bytes_sent": "0", "gzip_ratio": "-", "hostname": "cb7b5441f0da" }\n","stream":"stdout","time":"2018-12-29T11:25:36.130729806Z"}' >> /tmp/test.log实际结果:
{
...
"log": {
"status": {
"foo": {
"bar": 1
}
},
"bytes_sent": "0",
"gzip_ratio": "-",
"hostname": "cb7b5441f0da"
...
}预期结果:
{
...
"log": {
"status": "{ \"foo\": { \"bar\": 1 } }"
},
"bytes_sent": "0",
"gzip_ratio": "-",
"hostname": "cb7b5441f0da"
...
}如何控制嵌套的json对象?
下面是一些说明https://github.com/elastic/beats/issues/9834#issuecomment-451134008但是删除json:而只保留decode_json_fields也没有帮助
链接到discuss.elastic.co https://discuss.elastic.co/t/filebeat-how-control-level-nested-json-object-parsing-decode-json-fields/162876
1条答案
按热度按时间rpppsulh1#
截至2022年,filebeat
decode_json_fields处理器仍然无法满足这一要求:解析JSON文档关键字最多只能达到第N个深度,并将更深的JSON关键字保留为未解析的字符串。
在elastic/beats github存储库中有一个open issue讨论了
decode_json_fields处理器的max_depth属性行为,其中一个线程中的参与者友好地提供了一个解决方案,利用了scriptfilebeat处理器。PS:我已经将原始代码片段根JSON键更改为“log”,以满足OP要求。