用了Elasticsearch,一口气上5T

logstash如何解析带有windows文件路径的日志

匿名 | 发布于2017年12月28日 | 阅读数:6189

在日志文件中包含有json格式数据,json数据中如果包含windows文件路径这种反斜杠,logstash使用json过滤或者json编码都无法通过,报错误code 85,error信息如下:
exception=>#<LogStash::Jso n::ParserError: Unrecognized character escape 'A' (code 85)
原始数据如下:
Dec 2 11:39:45 100.8.82.104 sdfFORCE {"BLOCKED":"无","INCIDENT_ID":"2156662","RECIPIENTS":"N/A","SENDER":"N/A","RULES":"中国身份证号(窄), 中国身份证号, 手机号码和身份证号","SEVERITY":"1:高","INCIDENT_SNAPSHOT":"https://FORCE/ProtectManager/E ... value(variable_1)=incident.id&value(operator_1)=incident.id_in&value(operand_1)=2156662","MATCH_COUNT":"156","POLICY":"客户数据保护","SUBJECT":"N/A","FILE_NAME":"报税信息2016.09.xlsx","PARENT_PATH":"\\10.10.43.55\服务有限公司\08 资金财务部\Accounting File\Tax file\软件安装","PATH":"\\10.10.43.55\服务有限公司\08 资金财务部\Accounting File\Tax file\软件安装\报税信息2016.09.xlsx","QUARANTINE_PARENT_PATH":"N/A","SCAN":"N/A","TARGET":"N/A"}
前面信息grok没有问题,主要json解析错误,大神帮忙指导一下
已邀请:
匿名用户

匿名用户

赞同来自: lianjie

已解决,windows路径转义配置:
gsub => ["my_field", "[\\]", "/"]
供大家参考;

strglee

赞同来自:

你这个明显不是json数据啊
{"BLOCKED":"无","INCIDENT_ID":"2156662","RECIPIENTS":"N/A","SENDER":"N/A","RULES":"中国身份证号(窄), 中国身份证号, 手机号码和身份证号","SEVERITY":"1:高","INCIDENT_SNAPSHOT":"https://FORCE/ProtectManager/E ... value(variable_1)=incident.id&value(operator_1)=incident.id_in&value(operand_1)=2156662","MATCH_COUNT":"156","POLICY":"客户数据保护","SUBJECT":"N/A","FILE_NAME":"报税信息2016.09.xlsx","PARENT_PATH":"\\10.10.43.55\服务有限公司\08 资金财务部\Accounting File\Tax file\软件安装","PATH":"\\10.10.43.55\服务有限公司\08 资金财务部\Accounting File\Tax file\软件安装\报税信息2016.09.xlsx","QUARANTINE_PARENT_PATH":"N/A","SCAN":"N/A","TARGET":"N/A"}

to json ->

'{"INCIDENT_SNAPSHOT": "https://FORCE/ProtectManager/E ... value(variable_1)=incident.id&value(operator_1)=incident.id_in&value(operand_1)=2156662", "INCIDENT_ID": "2156662", "SENDER": "N/A", "RECIPIENTS": "N/A", "SEVERITY": "1:\\u9ad8", "RULES": "\\u4e2d\\u56fd\\u8eab\\u4efd\\u8bc1\\u53f7(\\u7a84), \\u4e2d\\u56fd\\u8eab\\u4efd\\u8bc1\\u53f7, \\u624b\\u673a\\u53f7\\u7801\\u548c\\u8eab\\u4efd\\u8bc1\\u53f7", "FILE_NAME": "\\u62a5\\u7a0e\\u4fe1\\u606f2016.09.xlsx", "SCAN": "N/A", "PARENT_PATH": "\\\\10.10.43.55\\\\\\u670d\\u52a1\\u6709\\u9650\\u516c\\u53f8\\u00008 \\u8d44\\u91d1\\u8d22\\u52a1\\u90e8\\\\Accounting File\\\\Tax file\\\\\\u8f6f\\u4ef6\\u5b89\\u88c5", "QUARANTINE_PARENT_PATH": "N/A", "TARGET": "N/A", "POLICY": "\\u5ba2\\u6237\\u6570\\u636e\\u4fdd\\u62a4", "PATH": "\\\\10.10.43.55\\\\\\u670d\\u52a1\\u6709\\u9650\\u516c\\u53f8\\u00008 \\u8d44\\u91d1\\u8d22\\u52a1\\u90e8\\\\Accounting File\\\\Tax file\\\\\\u8f6f\\u4ef6\\u5b89\\u88c5\\\\\\u62a5\\u7a0e\\u4fe1\\u606f2016.09.xlsx", "SUBJECT": "N/A", "MATCH_COUNT": "156", "BLOCKED": "\\u65e0"}'

要回复问题请先登录注册