Json Array 拆分问题 Logstash 配置：意外的输入结束：Array 的预期关闭标记（在 [Source: (S

Question

这就是我的 json 对象的样子，我已经验证我得到的 json 是有效的。我尝试设置相同的配置文件，但总是得到相同的错误

SON 解析错误，原始数据现在在消息字段 {:error=>#, :data=>"{\"total_rows\":15587,\"offset\":0,\"rows\":[\ r"} [2019-08-05T21:07:49,799][WARN][logstash.filters.split] 只有字符串和数组类型是可拆分的。字段：[doc][serversGroups] 的类型 = NilClass [2019-08-05T21:07:50,584][WARN][logstash.filters.split] 只有字符串和数组类型是可拆分的。字段：[doc][serversGroups][ActiveUsers] 的类型 = NilClass

这是我用于 logstash 的源配置文件

filter {

json {
source => "message"
skip_on_invalid_json => "true"
target => "doc"
}

split {

field => "[doc][serversGroups]"

}

split {

field => "[doc][serversGroups][ActiveUsers]"
}

date {
      match => [ "[doc][date]", "UNIX" ]
      target => "unix_time"
    }

mutate {
      convert => { "[doc][serversGroups][ActiveUsers][handle]" => "integer"
                   "[doc][serversGroups][list][UsedLicenses]" => "integer"
                   "[doc][serversGroups][list][issuedLicenses]" => "integer"
      }
    }

fingerprint {
concatenate_all_fields => "true"
method => "SHA256"
target => "fingerprint"
  }
}

output {

stdout {
codec => "rubydebug"
}

elasticsearch {
hosts => ["localhost:9200"]
index => "pyyython"
codec => "json"
document_id => "%{[fingerprint]}"
}


}

这是我的源 JSON

{
  "total_rows": 156122,
  "offset": 12,
  "rows": [
    {
      "id": "12345",
      "key": "12345",
      "value": {
        "rev": "1-12345"
      },
      "doc": {
        "_id": "12345",
        "_rev": "1-12345",
        "date": "15645348122",
        "HostServerName": "abc.com",
        "serversGroups": [
          {
            "ServiceName": "--- ",
            "list": {
              "issuedLicenses": "123",
              "UsedLicenses": "12"
            },
            "ActiveUsers": [
              {}
            ]
          },
          {
            "ServiceName": "--- ",
            "list": {
              "issuedLicenses": "123",
              "UsedLicenses": "12"
            },
            "ActiveUsers": [
              {}
            ]
          },
          {
            "ServiceName": "--- ",
            "list": {
              "issuedLicenses": "123",
              "UsedLicenses": "12"
            },
            "ActiveUsers": [
              {}
            ]
          },
          {
            "ServiceName": "--- ",
            "list": {
              "issuedLicenses": "123",
              "UsedLicenses": "1"
            },
            "ActiveUsers": [
              {
                "user": "me",
                "user_host": "myself",
                "dispay": "andI",
                "version": "v1.1",
                "server_host": "testing.abc.com",
                "handle": "12345",
                "last_date_license_check": "7/7",
                "last_time_license_check": "12:12"
              }
            ]
          }
        ]
      }
    }
  ]
}

我不断收到此错误

SON parse error, original data now in message field {:error=>#<LogStash::Json::ParserError: Unexpected end-of-input: expected close marker for Array (start marker at [Source: (S"; line: 1, column: 39])87,"offset":0,"rows":[
"; line: 2, column: 41]>, :data=>"{\"total_rows\":15587,\"offset\":0,\"rows\":[\r"}
[2019-08-05T21:07:49,799][WARN ][logstash.filters.split   ] Only String and Array types are splittable. field:[doc][serversGroups] is of type = NilClass
[2019-08-05T21:07:50,584][WARN ][logstash.filters.split   ] Only String and Array types are splittable. field:[doc][serversGroups][ActiveUsers] is of type = NilClass

不确定我的拆分是否错误！

Answer 1

您显示的源 JSON 显然无效，因为它以逗号结尾。如果我用

替换逗号

]
}
}
]
}

那么它是有效的。进行该更改后，可以使用

进行拆分

split { field => "[doc][rows][0][doc][serversGroups]" }
split { field => "[doc][rows][0][doc][serversGroups][ActiveUsers]" }