时间戳

首页 > 解决方案 > Logstash - 如何将字段复制到数组中

logstash - Logstash - 如何将字段复制到数组中

问题描述

我正在使用logstash 5.6

在我的文档中,我有一个子字段“[emailHeaders][reingested-on]”,以及另一个名为 [attributes] 的字段,其中包含几个子字段 [string]、[double],每个子字段都是数组。:

{
  "emailHeaders": {
    "reingested-on": ["1613986076000"]
  },
  "attributes": {
    "string": [
      {
        "name": "attributeString1",
        "value": "attributeStringValue1"
      },
      {
        "name": "attributeString2",
        "value": "attributeStringValue2"
      }
    ],
    "double": [
      {
        "name": "attributeDouble1",
        "value": 1.0
      }
    ]
  }
}

如果文档中存在元素 [emailHeaders][reingested-on],我想将 1613986076000(即 [emailHeaders][reingested-on] 的第一个元素)复制到 [attributes][date] 中,如下所示:

{
  "emailHeaders": {
    "reingested-on": ["1613986076000"]
  },
  "attributes": {
    "string": [
      {
        "name": "attributeString1",
        "value": "attributeStringValue1"
      },
      {
        "name": "attributeString2",
        "value": "attributeStringValue2"
      }
    ],
    "double": [
      {
        "name": "attributeDouble1",
        "value": 1.0
      }
    ],
    "date": [
      {
        "name": "Reingested on",
        "value": 1613986076000
      }
    ]
  }
}

请注意,如果 [attributes][date] 已经存在,并且已经包含名称/值对数组,我希望将我的新对象附加到数组中。另外,请注意 [attributes][date] 是一个对象数组,根据我的 ElasticSearch 索引的映射,它们的 [value] 属性中包含一个日期:

  ...
  "attributes": {
    "properties": {
      ...
      "date": {
        "type": "nested",
        "properties": {
          "id": {"type": "keyword"},
          "name": {"type": "keyword"},
          "value": {"type": "date"}
        }
      }, 
      ...
    }
  },
  ...

我尝试了以下logstash配置,但没有成功:

filter {
  # See https://stackoverflow.com/questions/30309096/logstash-check-if-field-exists : this is supposed to allow to "test" if [@metadata][reingested-on] exists
  mutate {
    add_field => { "[@metadata][reingested-on]" => "None" }
    copy => { "[emailHeaders][reingested-on][0]" => "[@metadata][reingested-on]" }
  }
  if [@metadata][reingested-on] != "None" {
    # See https://stackoverflow.com/questions/36127961/append-array-of-json-logstash-elasticsearch: I create a temporary [error] field, and I try to append it to [attributes][date]
    mutate {
      add_field => { "[error][name]" => "Reingested on" }
      add_field => { "[error][value]" => "[@metadata][reingested-on]" }
    }
    mutate {
      merge => {"[attributes][date]" => "[error]"}
    }
  }
}

但我得到的是:

{
  "emailHeaders": {
    "reingested-on": ["1613986076000"]
  }, 
  "error": {
    "name": "Reingested on",
    "value": "[@metadata][reingested-on]"
  },
  "attributes": {
    "string": [
      {
        "name": "attributeString1",
        "value": "attributeStringValue1"
      },
      {
        "name": "attributeString2",
        "value": "attributeStringValue2"
      }
    ],
    "double": [
      {
        "name": "attributeDouble1",
        "value": 1.0
      }
    ]
  }
}

我的临时 [error] 对象已创建,但它的值是错误的:它应该是 1613986076000 而不是 [@metadata][reingested-on]

此外,它不会附加到数组 [attribute][date] 中。在此示例中,此数组不存在,因此我希望根据上面的预期结果,使用我的临时对象作为第一个元素来创建它。

标签: logstashlogstash-configuration

解决方案

推荐阅读