查看多条消息并使用不同的标签处理它们 [英] grok multiple messages and process them with different tags
本文介绍了查看多条消息并使用不同的标签处理它们的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我想在Logstash(版本2.4)中创建一个过滤器,并且在同一grok中具有不同的匹配项. 我想根据匹配添加不同的标签. 基本上,我收到三种不同的消息模式: "## MAGIC ##%消息" "## REAL ##%消息" %信息" 我想做的是:
I want to make a filter in Logstash(version 2.4) with different matches in the same grok. I would like to add different tags depending on the match. Basically, I receive three different message pattern: "##MAGIC##%message" "##REAL##%message" "%message" I am trying to do is:
grok {
match => {"message" => "##MAGIC##%{GREEDYDATA:magic_message}"}
match => {"message" => "##REAL##%{GREEDYDATA:real_message}"}
match => {"message" => "%{GREEDYDATA:basic_message}"}
if [magic_message]{
overwrite => [ "message"]
add_tag => ["Magic"]
} else if [real_message]{
overwrite => [ "message"]
add_tag => ["Real"]
}else{
overwrite => [ "message"]
add_tag => ["Basic"]
}
但是,我得到的编译失败:
But, I got this compile fails:
The given configuration is invalid. Reason: Expected one of #, => at line 34, column 9 (byte 900) after filter {
grok {
match => {"message" => "##MAGIC##%{GREEDYDATA:magic_message}"}
match => {"message" => "##REAL##%{GREEDYDATA:real_message}"}
match => {"message" => "%{GREEDYDATA:basic_message}"}
if {:level=>:fatal}
推荐答案
logstash配置语法无法像这样工作.
The logstash configuration syntax does not work like this.
这应该更好地工作(假设您想用magic_message/real_message替换消息):
This should work better (under the assumption that you want to replace message by magic_message/real_message):
grok {
match => {"message" => [ "##MAGIC##%{GREEDYDATA:magic_message}",
"##REAL##%{GREEDYDATA:real_message}",
"%{GREEDYDATA:basic_message}"]}
}
if [magic_message] {
mutate {
replace => { "message" => "%{magic_message}" }
add_tag => ["Magic"]
}
} else if [real_message] {
mutate {
replace => { "message" => "%{real_message}" }
add_tag => ["Real"]
}
} else {
mutate {
add_tag => ["Basic"]
}
}
这篇关于查看多条消息并使用不同的标签处理它们的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
