如何在Logstash中使用mutate和gsub替换部分值 [英] How to replace the part of value using mutate and gsub in logstash

问题描述

我在日志文件中输入了以下内容:

I've got in my log file something like this:

DATATYPE::SERVICEPERFDATA       TIMET::1519222690       HOSTNAME::localhost     SERVICEDESC::Total Processes    SERVICEPERFDATA::procs=59;250;400;0;    SERVICECHECKCOMMAND::check_local_procs!250!400!RSZDT  HOSTSTATE::UP    HOSTSTATETYPE::HARD     SERVICESTATE::OK        SERVICESTATETYPE::HARD

我想将消息中的SERVICEPERFDATA::procs=59;250;400;0;这个键值对替换为类似的内容.

I want to replace SERVICEPERFDATA::procs=59;250;400;0; this key value pair in my message to something like this.

SERVICEPERFDATA::59

所以我可以使用kv过滤器将数据分为键和值.

so I can use kv filter to split the data into key and value.

我已经尝试过使用Logstash mutate和gsub，但是找不到合适的正则表达式来实现我的目标.

I've tried with Logstash mutate and gsub but couldn't find the right regex to achieve my goal.

谢谢， Charan

Thanks, Charan

推荐答案

您可以使用捕获组来获取正则表达式的一部分，并将其用于mutate/gsub配置的替换部分.

You can use a capturing group to grab a part of a regex and use it in the replace part of the mutate/gsub configuration.

mutate {
  gsub => ["message","(?<=SERVICEPERFDATA::)procs=(\d+);\S+", "\1"]
}

(?<=SERVICEPERFDATA::)使之生效，因此正则表达式仅适用于SERVICEPERFDATA::. procs=(\d+);\S+正则表达式会将所有数字放在procs=和下一个;之间，然后用于组的替换部分("\1").

The (?<=SERVICEPERFDATA::) make it so the regex only apply to SERVICEPERFDATA::. The procs=(\d+);\S+ regex will put all the numbers between procs= and the next ; in a group, which is then used in the replace part of the configuration ("\1").

请参见正则表达式说明.

过滤器结果:SERVICEPERFDATA::59

另一种选择是使用两个mutate/gsub过滤器，每个过滤器都有一个更简单的配置.

Another option would be to use two mutate/gsub filters, which would have each a simpler configuration.

这篇关于如何在Logstash中使用mutate和gsub替换部分值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！