如何检查json字符串中的键值对以获取logstash中的消息字段答案

【问题标题】：How to check key value pair in json string for message field in logstash如何检查json字符串中的键值对以获取logstash中的消息字段
【发布时间】：2021-10-11 15:06:28
【问题描述】：

这里是日志 json 字符串的示例，message 字段又是一个 json 字符串。

{
"service_id" => "sec-sip",
"@version" => "1",
"logplane" => "containerlogs",
"componentName" => "container",
"message" => "{"version":"1.0","timestamp":"2021-08-06T13:48:56.640+0000","severity":"info","service_id":"MANAGER@m.syslog","message":"santu  testtttttttttttttttttttttt","extra_data":{"manager":{"log_plane":"alarmlogs","alarm_raise_time":"1628251669506","alarm_update_time":"1628257736581","source_type":"MANAGER","alarm_instance_id":"1","alarm_proposed_repair_action":"Informational alarm no action required.","alarm_handler_specific_problem":null,"specific_problem":"Business Logic Updated","event_type":"Processing",}}}",
"version" => "0.2.0",
"timestamp" => "2021-08-06T16:47:13.736Z"
}

我需要在 [extra_data][manager][logplane] == "alarmlogs" 的基础上更改 logplane 值

您能帮我吗，我们如何从消息字段中提取此密钥并应用条件？

我想实现下面给出的。

 if [extra_data][manager][logplane] == "alarmlogs" {
          mutate {
            replace => {"[logplane]" => "informational"}
         }
    }

【问题讨论】：

标签： logstash logstash-grok logstash-configuration elk logstash-file

【解决方案1】：

您必须使用json filter 将string 转换为json 对象。在你的情况下，做类似的事情

 filter {
   json {
     source => "message"
     target => "json_message"
   }

   if [json_message][extra_data][manager][logplane] == "alarmlogs" {
      mutate {
        replace => {"[logplane]" => "informational"}
     }
   }
 }

不确定是否要转换回这个新的json object

【讨论】：