根据文件拍数据将字段添加到logstash [英] Add fields to logstash based off of filebeat data

问题描述

因此，我有一个由filebeat设置的主机名(并且我编写了一个应该抓住它的正则表达式)，但是以下内容并未按照我认为的方式添加字段..

So, I have a hostname that is being set by filebeat (and I've written a regex that should grab it), but the following isn't adding fields the way that I think it should..

grok{
  patterns_dir => "/config/patterns"
  match =>{ "beat.hostname" => ["%{INSTALLATION}-%{DOMAIN}-%{SERVICE}"] }
    add_field => { "[installation]" => "%{INSTALLATION}"}
    add_field => { "[domain]" => "%{DOMAIN}"}
    add_field => { "[service]" => "%{SERVICE}"}

 }  

我似乎无法访问beat.hostname，hostname，host或类似的东西来添加所需的字段.当前的主机名是:BOS-LAP-MYNAME1

I can't seem to access beat.hostname, hostname, host or anything like that to add the fields that I want. At present the hostname is: BOS-LAP-MYNAME1

应与以下哪个匹配:

INSTALLATION [^-]{1,3}
DOMAIN (BOS|LAP)
SERVICE (MYNAME1|TEST|12345)

还请注意:尽管Kibana中提供了这些字段，但我也尝试了主机"，主机名"和其他类似的字段名称，但都无济于事.

Also note: I've tried the "host" "hostname" and other field names like that to no avail as well, despite those fields being available in Kibana.

推荐答案

由于hostname嵌套在beat下，因此您需要与[beat][hostname]而不是beat.hostname匹配.要将这些字段添加到文档中，请使用match参数中的%{PATTERN:fieldname}形式.

Since hostname is nested under beat you need to match against [beat][hostname] rather than beat.hostname. And to add those fields to the document use the form of %{PATTERN:fieldname} in the match parameter.

filter {
  grok {
    patterns_dir => ["/config/patterns"]
    match => {
      "[beat][hostname]" => "%{INSTALLATION:installation}-%{DOMAIN:domain}-%{SERVICE:service}"
    }
  }
}

这篇关于根据文件拍数据将字段添加到logstash的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！