logstash名称字段动态 [英] logstash name fields dynamically
问题描述
我有一个动态字段,字段格式看起来像:
$ $ $ $ $ $ $ ABC $ D_ [randomNum]
字段是动态的,因为randonNUM,
i想要将' - '更改为'_' [randomNUM]
,它会看起来像下面,
A_B_C :: D
code> 是否有插件/策略可以解决这个问题?
您应该可以通过 mutate / gsub 过滤器来实现此目的。
filter {
mutate {
gsub => [
#替换随机数后缀
fieldname,_\d +,,
#用下划线替换所有破折号
fieldname, - _
确保用您的实际字段名称替换 fieldname
$ b 更新
根据您的意见,事实证明这是字段名称是动态的,而不是价值。出于这个原因,你不能使用上述解决方案,但下一个应该工作,即使用 ruby 过滤器:
过滤器{
ruby {
code =>
newhash = {}
event.to_hash.each {| key,value |
if key =〜/ ^ CISCO / then
newkey = key.gsub(/ _ \\ (key)
结束
$ new $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $'$' }
newhash.each {| key,value |
event [key] = value
}
}
在此过滤器运行后,您的事件将具有 A_B_C :: D 而不是原来的 ABC :: D_num
i have a dynamical field, the field format looks like
A-B-C::D_[randomNum]
the field is dynamic because the randonNUM ,
i want to change the '-' to '_' and remove the [randomNUM]
and it's will be looks like as follow,
A_B_C::D
Is there any plugin / strategy to solve this problem?
解决方案 You should be able to achieve this with a mutate/gsub filter
filter {
mutate {
gsub => [
# replace random num suffix
"fieldname", "_\d+", "",
# replace all dashes with underscores
"fieldname", "-", "_"
]
}
}
Make sure to replace fieldname with your actual field name.
UPDATE
Given your comments, it turned out it's the field names that are dynamic and not the value. For this reason, you cannot use the above solution but the next one should work, i.e. using the ruby filter:
filter {
ruby {
code => "
newhash = {}
event.to_hash.each {|key, value|
if key =~ /^CISCO/ then
newkey = key.gsub(/_\d+/, '').gsub('-', '_')
newhash[newkey] = event[key]
event.remove(key)
end
}
newhash.each {|key,value|
event[key] = value
}
"
}
}
After this filter runs, your event will have the field A_B_C::D instead of the original A-B-C::D_num
这篇关于logstash名称字段动态的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
