Logstash Grok JSON 错误 - 不同类型的映射器

Question

我有这个日志文件：

2020-08-05 09:11:19 INFO-flask.model-{"version": "1.2.1", "time": 0.651745080947876, "output": {...}}

这是我的 logstash 过滤器设置

grok{
        match => {
          "message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log.level}-%{DATA:model}-%{GREEDYDATA:log.message}"}
        }
    date {
            timezone => "UTC"
            match => ["timestamp" , "ISO8601", "yyyy-MM-dd HH:mm:ss"]
            target => "@timestamp"
            remove_field => [ "timestamp" ]
    }
    
    json{
            source => "log.message"
            target => "log.message"
    }
    mutate {
            add_field => {
                    "execution.time" => "%{[log.message][time]}"
            }
    }
}

我想从消息中提取“时间”值。但我收到此错误：

[2020-08-05T09:11:32,688][WARN ][logstash.outputs.elasticsearch][main][81ad4d5f6359b99ec4e52c93e518567c1fe91de303faf6fa1a4d905a73d3c334] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"index-2020.08.05", :routing=>nil, :_type=>"_doc"}, #<LogStash::Event:0xbe6a80>], :response=>{"index"=>{"_index"=>"index-2020.08.05", "_type"=>"_doc", "_id"=>"ywPjvXMByEqBCvLy1871", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"mapper [log.message.input.values] of different type, current_type [long], merged_type [text]"}}}}

Answer 1

请为您的 logstash 配置找到过滤器部分：

filter {
grok {
  match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log-level}-%{DATA:model}-%{GREEDYDATA:KV}" }
  overwrite => [ "message" ]
      }

  kv {
       source => "KV"
       value_split => ": "
       field_split => ", "
       target => "msg"
     }

}

希望这能解决您的问题。