Logstash无法解析json

是。您需要在配置中添加一个过滤器，如下所示。

filter{    json{        source => "message"    }}

在这里的文档中对此进行了很好的描述

编辑 json编解码器似乎不喜欢传入数组。单个元素与此配置一起工作：

输入：

{"uid":"441d1d1dd296fe60","name":"test_buylinks","title":"Testbuylinks","time":{"start":1419621623182,       "stop":1419621640491,"duration":17309      },      "severity":"NORMAL",      "status":"FAILED"   }

Logstash结果：

{      "message" => "{"uid":"441d1d1dd296fe60","name":"test_buylinks","title":"Testbuylinks","time":{"start":1419621623182,       "stop":1419621640491,"duration":17309      },      "severity":"NORMAL",      "status":"FAILED"   }",     "@version" => "1",   "@timestamp" => "2015-02-26T23:25:12.011Z",         "host" => "emmet.local",          "uid" => "441d1d1dd296fe60",         "name" => "test_buylinks",        "title" => "Testbuylinks",         "time" => {          "start" => 1419621623182,"stop" => 1419621640491,       "duration" => 17309   },     "severity" => "NORMAL",       "status" => "FAILED"

}

现在有了一个数组：

输入项

[{"uid":"441d1d1dd296fe60","name":"test_buylinks","title":"Testbuylinks","time":{"start":1419621623182,       "stop":1419621640491,"duration":17309      },      "severity":"NORMAL",      "status":"FAILED"   }, {"uid":"441d1d1dd296fe60","name":"test_buylinks","title":"Testbuylinks","time":{"start":1419621623182,       "stop":1419621640491,"duration":17309      },      "severity":"NORMAL",      "status":"FAILED"   }]

结果：

Trouble parsing json {:source=>"message", :raw=>"[{"uid":"441d1d1dd296fe60","name":"test_buylinks","title":"Testbuylinks","time":{"start":1419621623182,       "stop":1419621640491,"duration":17309      },      "severity":"NORMAL",      "status":"FAILED"   }, {"uid":"441d1d1dd296fe60","name":"test_buylinks","title":"Testbuylinks","time":{"start":1419621623182,       "stop":1419621640491,"duration":17309      },      "severity":"NORMAL",      "status":"FAILED"   }]", :exception=>#<TypeError: can't convert Array into Hash>, :level=>:warn}{      "message" => "[{"uid":"441d1d1dd296fe60","name":"test_buylinks","title":"Testbuylinks","time":{"start":1419621623182,       "stop":1419621640491,"duration":17309      },      "severity":"NORMAL",      "status":"FAILED"   }, {"uid":"441d1d1dd296fe60","name":"test_buylinks","title":"Testbuylinks","time":{"start":1419621623182,       "stop":1419621640491,"duration":17309      },      "severity":"NORMAL",      "status":"FAILED"   }]",     "@version" => "1",   "@timestamp" => "2015-02-26T23:28:21.195Z",         "host" => "emmet.local",         "tags" => [       [0] "_jsonparsefailure"   ]}

这看起来像是编解码器中的错误，您可以将消息更改为对象而不是数组吗？