在Logstash中解析包含多个事件的JSON消息

我想知道如何解析包含Logstash中多个事件的JSON消息。由于这样的JSON消息的一个示例：在Logstash中解析包含多个事件的JSON消息

{ 
    "Records": [ 
    { 
     "eventVersion": "1.03", 
     "userIdentity": { 
      "type": "IAMUser", 
      "principalId": "111122223333", 
      "arn": "arn:aws:iam::111122223333:user/myUserName", 
      "accountId": "111122223333", 
      "accessKeyId": "AKIAIOSFODNN7EXAMPLE", 
      "userName": "myUserName" 
     }, 
     "eventTime": "2015-08-26T20:46:31Z", 
     "eventSource": "s3.amazonaws.com", 
     "eventName": "DeleteBucketPolicy", 
     "awsRegion": "us-west-2", 
     "sourceIPAddress": "127.0.0.1", 
     "userAgent": "[]", 
     "requestParameters": { 
      "bucketName": "myawsbucket" 
     }, 
     "responseElements": null, 
     "requestID": "47B8E8D397DCE7A6", 
     "eventID": "cdc4b7ed-e171-4cef-975a-ad829d4123e8", 
     "eventType": "AwsApiCall", 
     "recipientAccountId": "111122223333" 
    }, 
    { 
     "eventVersion": "1.03", 
     "userIdentity": { 
      "type": "IAMUser", 
      "principalId": "111122223333", 
      "arn": "arn:aws:iam::111122223333:user/myUserName", 
      "accountId": "111122223333", 
      "accessKeyId": "AKIAIOSFODNN7EXAMPLE", 
      "userName": "myUserName" 
     }, 
     "eventTime": "2015-08-26T20:46:31Z", 
     "eventSource": "s3.amazonaws.com", 
     "eventName": "PutBucketAcl", 
     "awsRegion": "us-west-2", 
     "sourceIPAddress": "", 
     "userAgent": "[]", 
     "requestParameters": { 
      "bucketName": "", 
      "AccessControlPolicy": { 
       "AccessControlList": { 
        "Grant": { 
         "Grantee": { 
          "xsi:type": "CanonicalUser", 
          "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance", 
          "ID": "d25639fbe9c19cd30a4c0f43fbf00e2d3f96400a9aa8dabfbbebe1906Example" 
         }, 
         "Permission": "FULL_CONTROL" 
        } 
       }, 
       "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/", 
       "Owner": { 
        "ID": "d25639fbe9c19cd30a4c0f43fbf00e2d3f96400a9aa8dabfbbebe1906Example" 
       } 
      } 
     }, 
     "responseElements": null, 
     "requestID": "BD8798EACDD16751", 
     "eventID": "607b9532-1423-41c7-b048-ec2641693c47", 
     "eventType": "AwsApiCall", 
     "recipientAccountId": "111122223333" 
    }, 
    { 
     "eventVersion": "1.03", 
     "userIdentity": { 
      "type": "IAMUser", 
      "principalId": "111122223333", 
      "arn": "arn:aws:iam::111122223333:user/myUserName", 
      "accountId": "111122223333", 
      "accessKeyId": "AKIAIOSFODNN7EXAMPLE", 
      "userName": "myUserName" 
     }, 
     "eventTime": "2015-08-26T20:46:31Z", 
     "eventSource": "s3.amazonaws.com", 
     "eventName": "GetBucketVersioning", 
     "awsRegion": "us-west-2", 
     "sourceIPAddress": "", 
     "userAgent": "[]", 
     "requestParameters": { 
      "bucketName": "myawsbucket" 
     }, 
     "responseElements": null, 
     "requestID": "07D681279BD94AED", 
     "eventID": "f2b287f3-0df1-4961-a2f4-c4bdfed47657", 
     "eventType": "AwsApiCall", 
     "recipientAccountId": "111122223333" 
    } 
    ] 
}

我对过滤器logstash配置如下：

filter{ 

if [type] == "s3-log"{ 
     json{ 
       source => "message" 
       } 
     split{ 
       field => "Records" 
     } 
} 

}

能logstash的JSON插件过滤器有助于区分这个JSON消息不同的事件？

来源

2017-06-12 Ihsan Haikal

使用split过滤器将Records字段拆分为多个事件。

split { 
    field => "Records" 
}

参见：https://www.elastic.co/guide/en/logstash/current/plugins-filters-split.html

来源

2017-06-12 14:10:38 Alcanzar

我曾尝试使用split如你所说，但它不工作，看我更新的问题，我的过滤器配置 –

在Logstash中解析包含多个事件的JSON消息

回答

相关问题