用于单词提取的 Logstash 配置
Logstash configuration for word extraction
我是 Logstash 操作的新手,我不知道如何执行以下操作。
我有一个示例数据如下:
Column:Type
Incident Response P3
Incident Resolution L1.5 P2
...
我想将单词 'Response' 和 'Resolution' 提取到一个新列中 'SLA type'
我正在寻找与以下 SQL 声明非常相似的内容:
case when Type like '%Resolution%' then Resolution
when Type like '%Response%' then Response
end as SLA_Type
我如何在 Logstash 中操作它?
以下是我的配置文件。我正在使用 API 输入。
input {
http_poller {
urls => {
snowinc => {
url => "https://service-now.com"
user => "your_user"
password => "yourpassword"
headers => {Accept => "application/json"}
}
}
request_timeout => 60
metadata_target => "http_poller_metadata"
schedule => { cron => "* * * * * UTC"}
codec => "json"
}
}
filter
{
json {source => "result" }
split{ field => ["result"] }
date {
match => ["[result][sys_created_on]","yyyy-MM-dd HH:mm:ss"]
target => "sys_created_on"
}
}
output {
elasticsearch {
hosts => ["yourelastuicIP"]
index => "incidentsnow"
action=>update
document_id => "%{[result][number]}"
doc_as_upsert =>true
}
stdout { codec => rubydebug }
}
API json url 的输出如下所示:
{"result":[
{
"made_sla":"true",
"Type":"incident resolution p3",
"sys_updated_on":"2019-12-23 05:00:00",
"number":"INC0010275",
"category":"Network"} ,
{
"made_sla":"true",
"Type":"incident resolution l1.5 p4",
"sys_updated_on":"2019-12-24 07:00:00",
"number":"INC0010567",
"category":"DB"}]}
如果某个词出现在另一个字段中,您可以在管道中使用以下 filter 块来添加新字段。
if "response" in [Type] {
mutate {
add_field => { "SLA_Type" => "Response" }
}
}
if "resolution" in [Type] {
mutate {
add_field => { "SLA_Type" => "Resolution" }
}
}
如果 response 一词出现在字段 Type 中,将添加名为 SLA_Type 且值为 Response 的新字段您的文档,resolution.
也会发生同样的情况
我是 Logstash 操作的新手,我不知道如何执行以下操作。 我有一个示例数据如下:
Column:Type
Incident Response P3
Incident Resolution L1.5 P2
...
我想将单词 'Response' 和 'Resolution' 提取到一个新列中 'SLA type'
我正在寻找与以下 SQL 声明非常相似的内容:
case when Type like '%Resolution%' then Resolution
when Type like '%Response%' then Response
end as SLA_Type
我如何在 Logstash 中操作它?
以下是我的配置文件。我正在使用 API 输入。
input {
http_poller {
urls => {
snowinc => {
url => "https://service-now.com"
user => "your_user"
password => "yourpassword"
headers => {Accept => "application/json"}
}
}
request_timeout => 60
metadata_target => "http_poller_metadata"
schedule => { cron => "* * * * * UTC"}
codec => "json"
}
}
filter
{
json {source => "result" }
split{ field => ["result"] }
date {
match => ["[result][sys_created_on]","yyyy-MM-dd HH:mm:ss"]
target => "sys_created_on"
}
}
output {
elasticsearch {
hosts => ["yourelastuicIP"]
index => "incidentsnow"
action=>update
document_id => "%{[result][number]}"
doc_as_upsert =>true
}
stdout { codec => rubydebug }
}
API json url 的输出如下所示:
{"result":[
{
"made_sla":"true",
"Type":"incident resolution p3",
"sys_updated_on":"2019-12-23 05:00:00",
"number":"INC0010275",
"category":"Network"} ,
{
"made_sla":"true",
"Type":"incident resolution l1.5 p4",
"sys_updated_on":"2019-12-24 07:00:00",
"number":"INC0010567",
"category":"DB"}]}
如果某个词出现在另一个字段中,您可以在管道中使用以下 filter 块来添加新字段。
if "response" in [Type] {
mutate {
add_field => { "SLA_Type" => "Response" }
}
}
if "resolution" in [Type] {
mutate {
add_field => { "SLA_Type" => "Resolution" }
}
}
如果 response 一词出现在字段 Type 中,将添加名为 SLA_Type 且值为 Response 的新字段您的文档,resolution.