Elasticsearch 7.12, filebeat get log message then send to elasticsearch.
messages with keyword '上报请求信息' include json data, I created ingest with condition try to get these json data, the following is my ingest content.
{
"yibo_test_jsondata" : {
"processors" : [
{
"grok" : {
"field" : "message",
"patterns" : [
"""^\[(?<timestamp>%{YEAR}:%{MONTHNUM}:%{MONTHDAY} %{TIME})\]\[(?<result.txt>\w+)\](?<reqinfo>[^{]*)%{GREEDYDATA:jsondata}"""
]
}
},
{
"date" : {
"field" : "timestamp",
"formats" : [
"yyyy:MM:dd HH:mm:ss"
],
"timezone" : "UTC+8"
}
},
{
"json" : {
"field" : "jsondata",
"if" : """ctx.reqinfo =~ /上报请求信息/"""
}
}
]
}
}
as condition "if" : """ctx.reqinfo =~ /上报请求信息/""" should be analyse message with '上报请求信息'. But without keyword '上报请求信息' (one sample: [2020:01:01 07:37:05][INFO]接口调用失败,参数:{"ParkCode":"510105037","Mac":"6C:4B:90:B4:8F:0F","Random":null,"Sign":null} 返回:{"state":-1103001,"total":0}), still try to analyse and got error "object mapping for [jsondata] tried to parse field [jsondata] as object, but found a concrete value", How can I use chinese in ingest?