本实践案例主要是从多层数组对象嵌套的场景,向读者介绍如何使用LOG DSL解决工作中的具体需求。
需求
这里以一个复杂的包括多层数组嵌套的对象举例, 希望可以将users下的每个对象中的login_histories的每个登录信息都拆成一个登录事件.
原始日志举例
__source__: 1.2.3.4
__topic__:
content:{
"users": [
{
"name": "user1",
"login_historis": [
{
"date": "2019-10-10 0:0:0",
"login_ip": "1.1.1.1"
},
{
"date": "2019-10-10 1:0:0",
"login_ip": "1.1.1.1"
},
{
...更多登录信息...
}
]
},
{
"name": "user2",
"login_historis": [
{
"date": "2019-10-11 0:0:0",
"login_ip": "1.1.1.2"
},
{
"date": "2019-10-11 1:0:0",
"login_ip": "1.1.1.3"
},
{
...更多登录信息...
}
]
},
{
....更多user....
}
]
}期望分裂出的日志
__source__: 1.2.3.4
name: user1
date: 2019-10-11 1:0:0
login_ip: 1.1.1.1
__source__: 1.2.3.4
name: user1
date: 2019-10-11 0:0:0
login_ip: 1.1.1.1
__source__: 1.2.3.4
name: user2
date: 2019-10-11 0:0:0
login_ip: 1.1.1.2
__source__: 1.2.3.4
name: user2
date: 2019-10-11 1:0:0
login_ip: 1.1.1.3
....更多日志....解决方案
1、首先对content中的users做分裂和展开操作
e_split("content", jmes='users[*]', output='item')
e_json("item",depth=1)处理后返回的日志:
__source__: 1.2.3.4
__topic__:
content:{...如前...}
item: {"name": "user1", "login_histories": [{"date": "2019-10-10 0:0:0", "login_ip": "1.1.1.1"}, {"date": "2019-10-10 1:0:0", "login_ip": "1.1.1.1"}]}
login_histories: [{"date": "2019-10-10 0:0:0", "login_ip": "1.1.1.1"}, {"date": "2019-10-10 1:0:0", "login_ip": "1.1.1.1"}]
name: user1
__source__: 1.2.3.4
__topic__:
content:{...如前...}
item: {"name": "user2", "login_histories": [{"date": "2019-10-11 0:0:0", "login_ip": "1.1.1.2"}, {"date": "2019-10-11 1:0:0", "login_ip": "1.1.1.3"}]}
login_histories: [{"date": "2019-10-11 0:0:0", "login_ip": "1.1.1.2"}, {"date": "2019-10-11 1:0:0", "login_ip": "1.1.1.3"}]
name: user22、然后对login_histories先做分裂在做展开操作
e_split("login_histories")
e_json("login_histories", depth=1)处理后返回的日志:
__source__: 1.2.3.4
__topic__:
content: {...如前...}
date: 2019-10-11 0:0:0
item: {"name": "user2", "login_histories": [{"date": "2019-10-11 0:0:0", "login_ip": "1.1.1.2"}, {"date": "2019-10-11 1:0:0", "login_ip": "1.1.1.3"}]}
login_histories: {"date": "2019-10-11 0:0:0", "login_ip": "1.1.1.2"}
login_ip: 1.1.1.2
name: user2
__source__: 1.2.3.4
__topic__:
content: {...如前...}
date: 2019-10-11 1:0:0
item: {"name": "user2", "login_histories": [{"date": "2019-10-11 0:0:0", "login_ip": "1.1.1.2"}, {"date": "2019-10-11 1:0:0", "login_ip": "1.1.1.3"}]}
login_histories: {"date": "2019-10-11 1:0:0", "login_ip": "1.1.1.3"}
login_ip: 1.1.1.3
name: user2
__source__: 1.2.3.4
__topic__:
content: {...如前...}
date: 2019-10-10 1:0:0
item: {"name": "user1", "login_histories": [{"date": "2019-10-10 0:0:0", "login_ip": "1.1.1.1"}, {"date": "2019-10-10 1:0:0", "login_ip": "1.1.1.1"}]}
login_histories: {"date": "2019-10-10 1:0:0", "login_ip": "1.1.1.1"}
login_ip: 1.1.1.1
name: user1
__source__: 1.2.3.4
__topic__:
content: {...如前...}
date: 2019-10-10 0:0:0
item: {"name": "user1", "login_histories": [{"date": "2019-10-10 0:0:0", "login_ip": "1.1.1.1"}, {"date": "2019-10-10 1:0:0", "login_ip": "1.1.1.1"}]}
login_histories: {"date": "2019-10-10 0:0:0", "login_ip": "1.1.1.1"}
login_ip: 1.1.1.1
name: user13、经过以上两步操作,基本上得到相应的数据,只需要删除无关字段即可
e_drop_fields("content", "item", "login_histories")处理后返回的日志:
__source__: 1.2.3.4
__topic__:
name: user1
date: 2019-10-11 1:0:0
login_ip: 1.1.1.1
__source__: 1.2.3.4
__topic__:
name: user1
date: 2019-10-11 0:0:0
login_ip: 1.1.1.1
__source__: 1.2.3.4
__topic__:
name: user2
date: 2019-10-11 0:0:0
login_ip: 1.1.1.2
__source__: 1.2.3.4
__topic__:
name: user2
date: 2019-10-11 1:0:0
login_ip: 1.1.1.3 4、综上LOG DSL规则可以如以下形式:
e_split("content", jmes='users[*]', output='item')
e_json("item",depth=1)
e_split("login_histories")
e_json("login_histories", depth=1)
e_drop_fields("content", "item", "login_histories")总结
针对以上类似的需求,首先需要进行分裂,然后在做展开操作,最后删除无关信息。
进一步参考
欢迎扫码加入官方钉钉群获得实时更新与阿里云工程师的及时直接的支持: 
