JSON提取器和嵌套字段的问题答案

【问题标题】：Problem with JSON extractor and nested fieldsJSON提取器和嵌套字段的问题
【发布时间】：2020-11-05 13:02:15
【问题描述】：

我遇到了 JSON 字段未正确提取的问题。

首先，我的输入中有一个 JSON 提取器，用于提取消息字段，这将产生一个新的 MESSAGE 字段，其内容如下：

{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"e03a5c76-2122-4c1d-8265-be6e9cdc5e11", "stage":"ResponseComplete","requestURI":"/api/v1/namespaces/ingress-nginx/configmaps/ingress-controller-leader-nginx","verb":"update","user":{"用户名":"system:serviceaccount:ingress-nginx:ingress-nginx","uid":"42491580-cda5-4856-9f1b-ae133faadba7","groups":["system:serviceaccounts","system:serviceaccounts:ingress- nginx","system:authenticated"]},"sourceIPs":["10.81.100.2"],"userAgent":"nginx-ingress-controller/v0.40.2 (linux/amd64) ingress-nginx/fc4ccc5eb0e41be2436a978b01477fc354f31643"," objectRef":{"resource":"configmaps","namespace":"ingress-nginx","name":"ingress-controller-leader-nginx","uid":"7bd1f348-9586-45ea-b41c-897c8ba83985 ","apiVersion":"v1","resourceVersion":"178373"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2020-11-04T09:21 :18.756400Z","stageTimestamp":"2020-11-04T09:21:18.759305Z","annotations":{"authentication.k8s.i o/legacy-token":"system:serviceaccount:ingress-nginx:ingress-nginx","authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: 允许Role“ingress-nginx”的RoleBinding“ingress-nginx/ingress-nginx”到ServiceAccount“ingress-nginx/ingress-nginx””}}

但问题是 JSON 路径注释（粗体）未提取到字段中。有没有办法做到这一点？

谢谢！

【问题讨论】：

标签： graylog

【解决方案1】：

这很可能是因为annotations，更具体地说，authorization.k8s.io/reason 的属性值破坏了 JSON 格式。

【讨论】：