检查阵列中的Logstash仅适用于1个以上的元素 [英] Logstash in check for array only works with more than 1 element

问题描述

这主要是因为我找不到答案，并且想知道它的工作原理/原因.

this is mainly because I could not find an answer to this and I want to know how it works/why it works.

这是我的过滤器示例:

(1):

if [message] in ["a","b"] {
      mutate {
          add_field => { "tet" => "world2" }
      }
}

这对于"a"或"b"的邮件非常有用.添加了一个新字段.完美.

This works perfectly fine for messages that are "a" or "b". A new field is added. Perfect.

(2)

if [message] == "a" {
      mutate {
          add_field => { "tet" => "world2" }
      }
}

当消息为"a"时，效果很好.

Works perfectly fine when the message is "a".

(3)

if [message] in ["a"] {
      mutate {
          add_field => { "tet" => "world2" }
      }
}

这不起作用.如果消息为"a"，则检查仍然失败，并且没有将任何字段添加到我的事件中.

This does not work. If the message is "a" the check still fails and no field is added to my event.

为什么最后一次检查失败?这是一个错误吗?我想通过键入，logstash并不意味着"a"应该是一个1元素数组，但是我不确定.

Why does the last check fail? Is this a bug? I imagine that with typing, logstash does not thing that "a" is supposed to be a 1 element array, but I am not sure about that.

如果您还可以指出一些解释这种现象的文档:)

If you could also point me to some docs that explain this behaviour :)

谢谢

推荐答案

这是一些棘手的行为，但是我相信我已经知道了为什么会发生这种情况.这可能是由于将方括号[]用作数组和字段名称分隔符而造成的一些意外行为.

This is some tricky behavior, but I believe I worked out why this is happening. This is probably some unintended behavior created by the double use of square brackets [] as array and field name delimiters.

当方括号之间有多个逗号分隔的元素时，logstash读取["a","b"]作为数组.当只有一个元素时，logstash会读取一个字段名称，因此检查in ["a"]会查找一个名为"a"的字段及其值.

When there are multiple, comma-separated elements between the brackets, logstash reads ["a","b"] as an array. When there is only one element, logstash reads a field name, so the check in ["a"] looks for a field named "a" and its value.

过滤器:

mutate {
    add_field => {'"pop"' => "corn"}
  }
if "corn" in ["pop"] {
 mutate {
    add_tag => ["zing"]
  }
}

输入:

foo

输出:

{
       "message" => "foo",
      "@version" => "1",
    "@timestamp" => "2016-07-05T20:08:44.297Z",
          "host" => "4244ed3ff45a",
       "\"pop\"" => "corn",
          "tags" => [
        [0] "zing"
    ]
}

这篇关于检查阵列中的Logstash仅适用于1个以上的元素的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！