filebeat osqueryd 日志中有[] 这玩意怎么处理？

Beats | 作者 zqc0512 | 发布于2018年10月23日 | 阅读数：2808

"osquery": {
"result": {
"name": "pack_it-compliance_os_version",
"unix_time": 1540281585,
"action": "snapshot",
"epoch": 0,
"counter": 0,
"calendar_time": "Tue Oct 23 07:59:45 2018 UTC",
"snapshot": [
{
"patch": "1611",
"major": "7",
"minor": "3",
"build": "",
"codename": "",
"name": "CentOS Linux",
"platform_like": "rhel",
"version": "CentOS Linux release 7.3.1611 (Core)",
"platform": "rhel"
}
],
"host_identifier": "xxxx.xxxxx"
}
},

snapshot中有[] 怎么处理解析 mapping ?
_ingest/pipeline 怎么破这玩意？
filebeat直接写入ES

9 个回复

rochy - rochy_he

snapshot 中有 [] 应该是 nest 类型了
你可以通过设置 snapshot 的 properties 来设置内部包含的字段的具体映射
详细参考：https://www.elastic.co/guide/e ... arams

rochy - rochy_he

这个里面是 json，可以进行解析；不过万一这个数组有多个元素你就不好处理了

zqc0512 - andy zhou

mapping怎么写啊。

zqc0512 - andy zhou

"osquery": {
"properties": {
"result": {
"properties": {
"name": {
"type": "keyword",
"ignore_above": 1024
},
"snapshot": {
"properties": {
"patch": {
"type": "keyword",
"ignore_above": 1024
},
"major": {
"ignore_above": 1024,
"type": "keyword"
},
"minor": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"platform_like": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"type": "keyword",
"ignore_above": 1024
}
}
},
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"host_identifier": {
"ignore_above": 1024,
"type": "keyword"
},
"unix_time": {
"type": "long"
},
"calendar_time": {
"type": "keyword",
"ignore_above": 1024
}
}
}
}
}
}
}
},
"aliases": {}
}
这mapping应该怎么修改？ snapshot 我是按照json写的。现在elastic点不进去。
不晓得这里应该怎么写

zqc0512 - andy zhou

is like this ?

"snapshot": {
"type": "nested",
"properties": {
"patch": {
"type": "keyword",
"ignore_above": 1024
},

zqc0512 - andy zhou

不好使呢。这个不能够解析成单个值呢 ……
类似：osquery.result.snapshot.patch: "1611",
这个怎么破？

mapping is

"osquery": {
"properties": {
"result": {
"properties": {
"name": {
"type": "keyword",
"ignore_above": 1024
},
"snapshot": {
"type": "nested",
"dynamic": true,
"properties": {
"build": {
"type": "keyword",
"ignore_above": 1024
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"major": {
"ignore_above": 1024,
"type": "keyword"
},
"minor": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"patch": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"platform_like": {
"type": "keyword",
"ignore_above": 1024
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"hostIdentifier": {
"ignore_above": 1024,
"type": "keyword"
},
"host_identifier": {
"ignore_above": 1024,
"type": "keyword"
},
"epoch": {
"ignore_above": 1024,
"type": "keyword"
},
"counter": {
"ignore_above": 1024,
"type": "keyword"
},
"unix_time": {
"type": "long"
},
"unixtime": {
"type": "long"
},
"calendar_time": {
"type": "keyword",
"ignore_above": 1024
}
}
}
}
}
}
}
},
"aliases": {}
}

zqc0512 - andy zhou

原始数据

{"snapshot":[{"build":"","codename":"","major":"7","minor":"3","name":"CentOS Linux","patch":"1611","platform":"rhel","platform_like":"rhel","version":"CentOS Linux release 7.3.1611 (Core)"}],"action":"snapshot","name":"pack_it-compliance_os_version","hostIdentifier":"xxx","calendarTime":"Tue Oct 23 12:45:28 2018 UTC","unixTime":1540298728,"epoch":0,"counter":0,"decorations":{"host_uuid":"xxxxx","username":"root"}}

rochy - rochy_he

你这个 nest 对象是数组，应该是 osquery.result.snapshot[0].patch: "1611"
暂时没看明白你到底要做什么

zqc0512 - andy zhou

我想把这里面的内容提出来搞成类似这样。单个值……
osquery.result.snapshot.patch: "1611",
osquery.result.snapshot.minor: "3",
……
现在他放在里面一起了。
"snapshot": [
{
"patch": "1611",
"minor": "3",
"major": "7",
"build": "",
"codename": "",
"name": "CentOS Linux",
"platform_like": "rhel",
"version": "CentOS Linux release 7.3.1611 (Core)",
"platform": "rhel"
}
],
我kibana上面图表展示不出来。

要回复问题请先登录或注册

filebeat osqueryd 日志中有[] 这玩意怎么处理？

9 个回复

发起人

相关问题

问题状态

filebeat osqueryd 日志中有[] 这玩意怎么处理 ？

与内容相关的链接

9 个回复

发起人

相关问题

问题状态

filebeat osqueryd 日志中有[] 这玩意怎么处理？