您可以跳过json编解码器,并使用多行过滤器将邮件加入单个字符串中,然后将其输入到json过滤器中。
filter { multiline { pattern => '^{"vulnerabilities":[' negate => true what => "previous" } json { source => "message" }}但是,这会产生以下不良结果:
{ "message" => "<omitted for brevity>","@version" => "1", "@timestamp" => "2014-10-31T06:48:15.589Z", "host" => "name-of-your-host", "tags" => [ [0] "multiline" ], "vulnerabilities" => [ [0] { "ip" => "10.1.1.1", "dns" => "z.acme.com", "vid" => "12345" }, [1] { "ip" => "10.1.1.2", "dns" => "y.acme.com", "vid" => "12345" }, [2] { "ip" => "10.1.1.3", "dns" => "x.acme.com", "vid" => "12345" } ]}除非漏洞数组中有固定数量的元素,否则我认为我们无法做很多事情(无需求助于ruby过滤器)。
仅将json过滤器应用于看起来像我们想要的行,然后丢弃其余的行呢?您的问题不清楚所有日志是否都像这样,因此可能没有太大用处。
filter { if [message] =~ /^s+{"ip":/ { # Remove trailing commas mutate { gsub => ["message", ",$", ""] } json { source => "message" remove_field => ["message"] } } else { drop {} }}
