时间戳

首页 > 解决方案 > Json Array 拆分问题 Logstash 配置:意外的输入结束:Array 的预期关闭标记(在 [Source: (S

elasticsearch - Json Array 拆分问题 Logstash 配置:意外的输入结束:Array 的预期关闭标记(在 [Source: (S

问题描述

这就是我的 json 对象的样子,我已经验证我得到的 json 是有效的。我尝试设置相同的配置文件,但总是得到相同的错误

SON 解析错误,原始数据现在在消息字段 {:error=>#, :data=>"{\"total_rows\":15587,\"offset\":0,\"rows\":[\r"} [2019-08-05T21:07:49,799][WARN][logstash.filters.split] 只有字符串和数组类型是可拆分的。字段:[doc][serversGroups] 的类型 = NilClass [2019-08-05T21:07:50,584][WARN][logstash.filters.split] 只有字符串和数组类型是可拆分的。字段:[doc][serversGroups][ActiveUsers] 的类型 = NilClass

这是我用于 logstash 的源配置文件

filter {

json {
source => "message"
skip_on_invalid_json => "true"
target => "doc"
}

split {

field => "[doc][serversGroups]"

}

split {

field => "[doc][serversGroups][ActiveUsers]"
}

date {
      match => [ "[doc][date]", "UNIX" ]
      target => "unix_time"
    }

mutate {
      convert => { "[doc][serversGroups][ActiveUsers][handle]" => "integer"
                   "[doc][serversGroups][list][UsedLicenses]" => "integer"
                   "[doc][serversGroups][list][issuedLicenses]" => "integer"
      }
    }

fingerprint {
concatenate_all_fields => "true"
method => "SHA256"
target => "fingerprint"
  }
}

output {

stdout {
codec => "rubydebug"
}

elasticsearch {
hosts => ["localhost:9200"]
index => "pyyython"
codec => "json"
document_id => "%{[fingerprint]}"
}


}

这是我的源 JSON

{
  "total_rows": 156122,
  "offset": 12,
  "rows": [
    {
      "id": "12345",
      "key": "12345",
      "value": {
        "rev": "1-12345"
      },
      "doc": {
        "_id": "12345",
        "_rev": "1-12345",
        "date": "15645348122",
        "HostServerName": "abc.com",
        "serversGroups": [
          {
            "ServiceName": "--- ",
            "list": {
              "issuedLicenses": "123",
              "UsedLicenses": "12"
            },
            "ActiveUsers": [
              {}
            ]
          },
          {
            "ServiceName": "--- ",
            "list": {
              "issuedLicenses": "123",
              "UsedLicenses": "12"
            },
            "ActiveUsers": [
              {}
            ]
          },
          {
            "ServiceName": "--- ",
            "list": {
              "issuedLicenses": "123",
              "UsedLicenses": "12"
            },
            "ActiveUsers": [
              {}
            ]
          },
          {
            "ServiceName": "--- ",
            "list": {
              "issuedLicenses": "123",
              "UsedLicenses": "1"
            },
            "ActiveUsers": [
              {
                "user": "me",
                "user_host": "myself",
                "dispay": "andI",
                "version": "v1.1",
                "server_host": "testing.abc.com",
                "handle": "12345",
                "last_date_license_check": "7/7",
                "last_time_license_check": "12:12"
              }
            ]
          }
        ]
      }
    }
  ]
}

我不断收到此错误

SON parse error, original data now in message field {:error=>#<LogStash::Json::ParserError: Unexpected end-of-input: expected close marker for Array (start marker at [Source: (S"; line: 1, column: 39])87,"offset":0,"rows":[
"; line: 2, column: 41]>, :data=>"{\"total_rows\":15587,\"offset\":0,\"rows\":[\r"}
[2019-08-05T21:07:49,799][WARN ][logstash.filters.split   ] Only String and Array types are splittable. field:[doc][serversGroups] is of type = NilClass
[2019-08-05T21:07:50,584][WARN ][logstash.filters.split   ] Only String and Array types are splittable. field:[doc][serversGroups][ActiveUsers] is of type = NilClass

不知道我的分裂是不是错了!

标签: elasticsearchlogstashlogstash-groklogstash-configurationlogstash-file

解决方案

您显示的源 JSON 显然无效,因为它以逗号结尾。如果我用逗号替换

]
}
}
]
}

那么它是有效的。进行该更改后,可以使用

split { field => "[doc][rows][0][doc][serversGroups]" }
split { field => "[doc][rows][0][doc][serversGroups][ActiveUsers]" }

推荐阅读