服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Logstash – 根据包含数组中的对象将事件拆分为两个
Intereting Posts
Windows事件日志转发 使用Rackspace云时的networking架构 确认yum-cron在CentOS 7服务器上configuration正确 一台机器的多个DNSlogging 如何将正在运行的虚拟机从一个虚拟机pipe理程序迁移到另一个? WSSTRACING.EXE高CPU 在Windows防火墙中阻止远程桌面服务的所有2 ips仍然变得不良login 在Debian软件包中发生冲突 从POP / IMAP / Exchange邮箱中获取附件的可靠/可靠的方法 如何从多个驱动器创build一个大卷,但是如果失败,只能释放存储在一个磁盘上的文件? 错误2002(HY000):无法通过套接字“/tmp/mysql.sock”连接到本地MySQL服务器(2) CSF日志文件解释 在Windows XP上同步时间是不可能的吗? 如何监视mysql的百分比磁盘利用率? 复制/粘贴大文件崩溃的Windows

Logstash – 根据包含数组中的对象将事件拆分为两个

我正在第一次使用logstash,我试图从amavisd-new中接收JSON报告进行search和分析。 Amavisd-new能够将json日志写入到redis中,并且我已经完全导入了所有的东西,并且已经开始通过所有这些学习我的方式了。

但是我有一个问题 – amavis的JSON报告的格式如下所示 – 注意“收件人”有一个数组,每个收件人有一个条目。

我想把整个事件分成两个 – 每个收件人一个,所有其他字段保持不变,但是将每个收件人数组成员的“action”,“ccat_main”,“queued_as”等字段replace为主甚至。

这个想法是,有两个收件人的传入事件会导致logstash中有两个单独的日志事件 – 每个人都有一个事件。

我已经看到分裂的事件,但我没有看到如何做到这一点 – 我似乎无法find任何适当的例子。

所以,对于真实的例子,给定这个: 

{ "@timestamp" => "2014-05-06T09:29:47.048Z", "time_unix" => 1399368587.048, "time_iso_week_date" => "2014-W19-2", "partition" => "19", "type" => "amavis", "host" => "mailer.example.net", "queued_as" => ["3gNFyR4Mfjzc3", "3gNFyR4n6Lzc4"], "recipients" => [ { "action" => "PASS", "ccat_main" => "Clean", "queued_as" => "3gNFyR4Mfjzc3", "rcpt_is_local" => false, "rcpt_to" => "[email protected]", "smtp_code" => "250", "smtp_response" => "250 2.0.0 from MTA(smtp:[::1]:10013): 250 2.0.0 Ok: queued as 3gNFyR4Mfjzc3", "spam_score" => -2.0 }, { "action" => "PASS", "ccat_main" => "Clean", "mail_id_related" => "men7HTERZaOF", "penpals_age" => 1114599, "queued_as" => "3gNFyR4n6Lzc4", "rcpt_is_local" => true, "rcpt_to" => "[email protected]", "smtp_code" => "250", "smtp_response" => "250 2.0.0 from MTA(smtp:[::1]:10013): 250 2.0.0 Ok: queued as 3gNFyR4n6Lzc4", "spam_score" => -5.272 } ], "smtp_code" => ["250"], }

我想结束两个不同的事件,像这样: 

  { "@timestamp" => "2014-05-06T09:29:47.048Z", "time_unix" => 1399368587.048, "time_iso_week_date" => "2014-W19-2", "partition" => "19", "type" => "amavis", "host" => "mailer.example.net", "queued_as" => ["3gNFyR4Mfjzc3", "3gNFyR4n6Lzc4"], "action" => "PASS", "ccat_main" => "Clean", "queued_as" => "3gNFyR4Mfjzc3", "rcpt_is_local" => false, "rcpt_to" => "[email protected]", "smtp_code" => "250", "smtp_response" => "250 2.0.0 from MTA(smtp:[::1]:10013): 250 2.0.0 Ok: queued as 3gNFyR4Mfjzc3", "spam_score" => -2.0 "smtp_code" => ["250"], } 

  { "@timestamp" => "2014-05-06T09:29:47.048Z", "time_unix" => 1399368587.048, "time_iso_week_date" => "2014-W19-2", "partition" => "19", "type" => "amavis", "host" => "mailer.example.net", "queued_as" => ["3gNFyR4Mfjzc3", "3gNFyR4n6Lzc4"], "recipients" => [ "action" => "PASS", "ccat_main" => "Clean", "mail_id_related" => "men7HTERZaOF", "penpals_age" => 1114599, "queued_as" => "3gNFyR4n6Lzc4", "rcpt_is_local" => true, "rcpt_to" => "[email protected]", "smtp_code" => "250", "smtp_response" => "250 2.0.0 from MTA(smtp:[::1]:10013): 250 2.0.0 Ok: queued as 3gNFyR4n6Lzc4", "spam_score" => -5.272 "smtp_code" => ["250"], }

我怎样才能做到这一点?

谢谢-

汤姆

另外,很久以前就有人问到这里有两个链接: https://www.elastic.co/guide/en/logstash/current/plugins-filters-metricize.html https://www.elastic。 CO /引导/ EN / logstash /电stream/插件filter,clone.html