消除Logstash中的顶级字段 [英] Eliminate the top-level field in Logstash

问题描述

我正在使用Logstash，并且我的一个应用程序向我发送了以下字段:

I am using Logstash and one of my applications is sending me fields like:

[message][UrlVisited]
[message][TotalDuration]
[message][AccountsProcessed]

我希望能够折叠这些字段，从而完全删除顶级消息.因此，以上字段将变为:

I'd like to be able to collapse these fields, removing the top level message altogether. So the above fields will become:

[UrlVisited]
[TotalDuration]
[AccountsProcessed]

在Logstash中有没有办法做到这一点?

Is there a way to do this in Logstash?

推荐答案

假定所有此类子字段的名称都是预先已知的，则可以使用

Assuming the names of all such subfields are known in advance you can use the mutate filter:

filter {
  mutate {
    rename => ["[message][UrlVisited]", "UrlVisited"]
  }
  mutate {
    rename => ["[message][TotalDuration]", "TotalDuration"]
  }
  mutate {
    rename => ["[message][AccountsProcessed]", "AccountsProcessed"]
  }
  mutate {
    remove_field => ["message"]
  }
}

或者，使用红宝石过滤器(即使您不知道字段名称也可以使用):

Alternatively, use a ruby filter (which works even if you don't know the field names):

filter {
  ruby {
    code => "
      event.get('message').each {|k, v|
        event.set(k, v)
      }
      event.remove('message')
    "
  }
}

此示例适用于Logstash 2.4及更高版本.对于早期版本，请使用event['message'].each ...和event[k] = v.

This example works on Logstash 2.4 and later. For earlier versions use event['message'].each ... and event[k] = v instead.

这篇关于消除Logstash中的顶级字段的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！