以下是实例

原始数据:

{"countnum":2,"checktime":"2017-05-23 16:59:32"}

{"countnum":2,"checktime":"2017-05-23 16:59:32"}  



1、无涉及字段类型转换   logstash filter  配置如下参数即可

if [type] == "onlinecount" {

       json{

    source => "message"

     }

  }



2、涉及字段类型转换

logstash filter  


if [type] == "onlinecount" {

mutate{

split=>["message",","]

add_field => {

"coutnum" => "%{[message][0]}"

}

add_field => {

"checktime" => "%{[message][1]}"

}

remove_field => ["message"]

}

json{

source => "coutnum"

source => "checktime"

#convert => { "coutnum" => "integer" }

target => "coutnum"

target => "checktime"

}

}