在我之前的文章 “Logstash：Data 转换，分析，提取，丰富及核心操作” 有涉及到这个话题。今天我想使用一个具体的例子来更深入地展示。

 

准备数据

我们先来把如下的数据拷贝下来，并保存到一个叫做 sample.json 的文件中。我们可以把这个文件置于 Logstash 的安装根目录下。

sample.json

{"id":1,"timestamp":"2019-09-12T13:43:42Z","paymentType":"Amex","name":"Merrill Duffield","gender":"Female","ip_address":"132.150.218.21","purpose":"Toys","country":"United Arab Emirates","age":33}
{"id":2,"timestamp":"2019-08-11T17:55:56Z","paymentType":"Visa","name":"Darby Dacks","gender":"Female","ip_address":"77.72.239.47","purpose":"Shoes","country":"Poland","age":55}
{"id":3,"timestamp":"2019-07-14T04:48:25Z","paymentType":"Visa","name":"Harri Cayette","gender":"Female","ip_address":"227.6.210.146","purpose":"Sports","country":"Canada","age":27}
{"id":4,"timestamp":"2020-02-29T12:41:59Z","paymentType":"Mastercard","name":"Regan Stockman","gender":"Male","ip_address":"139.224.15.154","purpose":"Home","country":"Indonesia","age":34}
{"id":5,"timestamp":"2019-08-03T19:37:51Z","paymentType":"Mastercard","name":"Wilhelmina Polle","gender":"Female","ip_address":"252.254.68.68","purpose":"Health","country":"Ukraine","age":51}

$ pwd
/Users/liuxg/elastic/logstash-8.6.1
$ ls sample.json 
sample.json

解析及过滤 JSON 文件

我们有如下的几种方法：

使用 Logstash 的 Input JSON codec

我们创建如下的 Logstash 配置文件：

logstash_input.conf

input {
  file {
    path => "/Users/liuxg/elastic/logstash-8.6.1/sample.json"
    type    => "applog"
    codec   => "json"
    start_position => "beginning"
    sincedb_path => "/dev/null"
  }
}

output {
	stdout { 
	  codec => rubydebug 
	}
}

我们运行 Logstash：

$ pwd
/Users/liuxg/elastic/logstash-8.6.1
$ ./bin/logstash -f logstash_input.conf

在运行的 terminal 中，我们可以看到如下的结果：

从上面，我们可以看出来我们的数据已经变为结构化的数据了。

使用 JSON filter

我们创建如下的一个 Logstash 配置文件：

logstash_filter.conf

input {
  file {
    path => "/Users/liuxg/elastic/logstash-8.6.1/sample.json"
    type    => "applog"
    start_position => "beginning"
    sincedb_path => "/dev/null"
  }
}

filter {
    json {
        source => "message"
    }
}

output {
	stdout { 
	  codec => rubydebug 
	}
}

我们运行 Logstash：

$ pwd
/Users/liuxg/elastic/logstash-8.6.1
$ ./bin/logstash -f logstash_filter.conf

在运行的 terminal 中，我们可以看到如下的结果：

从上面我们可以看出来 JSON 文件也被正确地结构化了。

接下来，我们来清理一下我们的数据，并过滤掉那些  paymentType 为 Mastercard 的文档。我们进一步修改配置文件：

logstash_filter.conf

input {
  file {
    path => "/Users/liuxg/elastic/logstash-8.6.1/sample.json"
    type    => "applog"
    start_position => "beginning"
    sincedb_path => "/dev/null"
  }
}

filter {
    json {
        source => "message"
    }

    if [paymentType] == "Mastercard" {
        drop {}
    }

    mutate {
        remove_field => ["message", "@timestamp", "path", "host", "@version", "log", "event"]
    }

}

output {
	stdout { 
	  codec => rubydebug 
	}
}

在上面，我们过滤掉 paymentType 为 Mastercard 的文档，同时，我们也去除一些不需要的字段，比如 message。我们再次运行：

很显然，我们这次没有看到 message 字段，同时 paymentType 为 Mastercard 的文档都被过滤掉了。

处理含有数值的 JSON 数据

接下来我们使用另外一组数据。在这个数据里，它的 JSON 文件里含有一个数组：

sample-split.json

{"id":1,"timestamp":"2019-06-19T23:04:47Z","paymentType":"Mastercard","name":"Ardis Shimuk","gender":"Female","ip_address":"91.33.132.38","purpose":"Home","country":"France","pastEvents":[{"eventId":1,"transactionId":"trx14224"},{"eventId":2,"transactionId":"trx23424"}],"age":34}
{"id":2,"timestamp":"2019-11-26T15:40:56Z","paymentType":"Amex","name":"Benoit Urridge","gender":"Male","ip_address":"26.71.230.228","purpose":"Shoes","country":"Brazil","pastEvents":[{"eventId":3,"transactionId":"63323-064"},{"eventId":4,"transactionId":"0378-3120"}],"age":51}
{"id":3,"timestamp":"2019-05-08T16:24:25Z","paymentType":"Visa","name":"Lindsy Ketchell","gender":"Female","ip_address":"189.216.71.184","purpose":"Home","country":"Brazil","pastEvents":[{"eventId":5,"transactionId":"68151-3826"},{"eventId":6,"transactionId":"52125-611"}],"age":26}
{"id":4,"timestamp":"2019-06-10T18:01:32Z","paymentType":"Visa","name":"Cary Boyes","gender":"Male","ip_address":"223.113.73.232","purpose":"Grocery","country":"Pakistan","pastEvents":[{"eventId":7,"transactionId":"63941-950"},{"eventId":8,"transactionId":"55926-0011"}],"age":46}
{"id":5,"timestamp":"2020-02-18T12:27:35Z","paymentType":"Visa","name":"Betteanne Diament","gender":"Female","ip_address":"159.148.102.98","purpose":"Computers","country":"Brazil","pastEvents":[{"eventId":9,"transactionId":"76436-101"},{"eventId":10,"transactionId":"55154-3330"}],"age":41}

请注意上面最后面的一个空行。这样可以保证所有的文档被摄入。如上所示，它含有一个叫做 pastEvents 的字段。它是一个数组。在每个文档中，它含有 1 个或多个 eventId。我们可以通过 split 过滤器来把这些 eventId 变成单个的事件。

我们创建如下的一个 Logstash 配置文件：

logstash_split.conf

input {
  file {
    path => "/Users/liuxg/elastic/logstash-8.6.1/sample-split.json"
    type    => "applog"
    start_position => "beginning"
    sincedb_path => "/dev/null"
  }
}

filter {
    json {
        source => "message"
    }

    split {
        field => "[pastEvents]"
    }

    mutate {
        remove_field => ["message", "@timestamp", "path", "host", "@version", "log", "event"]
    }

}

output {
	stdout { 
	  codec => rubydebug 
	}
}

我们可以参考官方文档 Split filter plugin | Logstash Reference [8.6] | Elastic 来了解更多关于 split 过滤的功能。

我们运行上面的 pipeline：

./bin/logstash -f logstash_split.conf

我们可以看到在之前的源 JSON 文档中，它共有5个文档，但是经过 split 过滤器后，它现在变为 10 个文档了。

输出到 Elasticsearch

经过上面的 input 及 filter，我们得到了我们想要的结构化的数据。我们可以参考文章 “Logstash：如何连接到带有 HTTPS 访问的集群” 把输出结果输出到 Elasticsearch 集群中。这里就不再累述了。