这是我们的Logstash标准输出{}:
{
"_index": "logstash",
"_type": "_doc",
"_id": "UPUcBnEBHL50VNrwHY-Q",
"_version": 1,
"_score": null,
"_source":
{"host": {"name": "xxxxxx"},
"@timestamp": "2020-03-23T06:37:16.915Z",
"data": {"node": "node1","level": "INFO", "timestamp": "2020-03-23T07:37:11,050","thread": "EthScheduler-Workers-3","throwable": "","class": "BlockPropagationManager","message": "Imported #979 / 0 tx / 0 om / 0 (0.0%) gas /(0xcbd404f6cec12eaecb9bed309b953fe5671ee868843807321772369b47756371) in 0.000s."}
}
在ELS中,我们希望“数据”对象中的“消息”文本字段:
"message": "Imported #979 / 0 tx / 0 om / 0 (0.0%) gas / (0xcbd404f6cec12eaecb9bed309b953fe5671ee868843807321772369b47756371) in 0.000s."
in the JSON structured from below:
{Imported: 979,Tx: 0,Gas: 0 Hash:0xcbd404f6cec12eaecb9bed309b953fe5671ee868843807321772369b47756371,duration: 0,000s}
您能帮助我们解决问题吗?提前致谢!BR
您需要为此编写自定义的grok模式,匹配message字段中的各个子字符串,例如提取Imported字段
grok {
match => { "message" => "Imported #%{NUMBER:Imported}" }
}