如何在Logstash中的字段中替换字符串 [英] How do I replace a string in a field in Logstash

问题描述

我有Windows事件日志中的IP地址字段，该IP地址字段的IP地址前面包含诸如":: fffff:"之类的字符.我无法在此处更改源，因此必须在Logstash中进行修复.

I have an IP address field from the Windows event log that contains characters like "::fffff:" in front of the IP address. I cannot change the source here, so I have to fix this in Logstash.

我一定很喜欢谷歌搜索，但是我真的找不到一种简单的方法来从logstash的ip-address字段中剥离这些字符.

I must suck at googling, but I really can't find a simple way to just strip these characters from the ip-address fields in logstash.

我尝试过

 if ("" in [event_data][IpAddress]) {
        mutate {
              add_field => { "client-host" => "%{[event_data][IpAddress]}"}
              gsub => ["client-host", ":", ""]
        }
        dns {
             action => "replace"
             reverse => [ "client-host" ]
        }
 }

但没有运气，结肠还在那儿.如何在Logstash中的字符串":: ffff:10.0.36.39"中替换":: ffff:"?

but no luck, the colon is still there. How can I replace "::ffff:" in the string "::ffff:10.0.36.39" in Logstash?

推荐答案

add_field直到gsub之后才执行，因此需要将其分成两个mutate块.

The add_field isn't executed until after the gsub, so you need to break it up into two mutate blocks.

mutate {
  add_field => { "client-host" => "%{[event_data][IpAddress]}"}
}
mutate {
  gsub => ["client-host", "::ffff:", ""]
}

mutate工作的特定顺序:

rename(event) if @rename
update(event) if @update
replace(event) if @replace
convert(event) if @convert
gsub(event) if @gsub
uppercase(event) if @uppercase
lowercase(event) if @lowercase
strip(event) if @strip
remove(event) if @remove
split(event) if @split
join(event) if @join
merge(event) if @merge

filter_matched(event)

filter_matched具有所有标准动作，例如add_field

Where filter_matched has all of the standard actions like add_field

这篇关于如何在Logstash中的字段中替换字符串的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！