修剪字段值，或删除部分值 [英] Trim field value, or remove part of the value

问题描述

我正在尝试调整路径名，以使其不再在末尾附加时间戳.我输入了许多不同的日志，因此为每个可能的日志编写条件过滤器是不切实际的.如果可能的话，我只想修整值的最后九个字符.

I am trying to adjust path name so that it no longer has the time stamp attached to the end. I am input many different logs so it would be impractical to write a conditional filter for every possible log. If possible I would just like to trim the last nine characters of the value.

例如"random.log-20140827"将成为"random.log".

推荐答案

因此，如果您知道它总是随机的.log-something-

So if you know it's always going to be random.log-something --

if [path] =~ /random.log/ {
  mutate {
     replace => ["path", "random.log"]
  }
}

如果您要修复"其中带有日期的任何内容:

If you want to "fix" anything that has a date in it:

if [path] =~ /-\d\d\d\d\d\d\d\d/ {
   grok {
      match => [ "path", "^(?<pathPrefix>[^-]+)-" ]
   }
   mutate {
      replace => ["path", "%{pathPrefix}"]
      remove_field => "pathPrefix"
   }
}

在这两者中，第一个将减少计算强度.

Of the two, the first is going to be less compute intensive.

我都没有测试过，但是它们应该可以工作.

I haven't tested either of these, but they should work.

这篇关于修剪字段值，或删除部分值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！