在 Logstash 中提取 xpath 值以有条件地创建新字段
Extracting xpath values in Logstash to conditionally create new fields
我的 xml 文件的结构附在下面。我想提取由 xpath 创建的字段的值和 运行 if else 条件。在某种程度上,如果 station_name 的值等于 "Finch" 那么创建一个新字段并存储在 it.Can 任何人都建议我如何实现这个
我想要实现的目标的编码版本
if "Finch" in [station_name] {
xpath => ["/station/name/text()","Ny_station"]
}
else {
xpath => ["/station/name/text()","nonNy_station"]
}
这是我的配置文件
input
{
file
{
path => "C:\Users6181152\Downloads\stations3.xml"
start_position => "beginning"
sincedb_path => "/dev/null"
exclude => "*.gz"
type => "xml"
codec => multiline {
pattern => "<stations>"
negate => "true"
what => "previous"
}
}
}
filter
{
xml
{
source => "message"
store_xml => false
target => "stations"
xpath => [
"/stations/station/id/text()", "station_id",
"/stations/station/name/text()", "station_name"
]
}
}
output
{
elasticsearch
{
codec => json
hosts => "localhost"
index => "xmlns24"
}
stdout
{
codec => rubydebug
}
}
您不能在 xml 过滤器中使用 if else 循环。但是你可以在 if else 循环中有两个 xml 过滤器,唯一的区别是 xpath 创建的变量。
此处它检查字符串 Finch 作为消息值的正则表达式模式,以决定使用哪个 xml 过滤器。
if [message] =~ "Finch" {
xml
{
source => "message"
store_xml => false
target => "stations"
xpath => [
"/stations/station/id/text()", "station_id",
"/stations/station/name/text()", "Ny_station"
]
}
} else {
{
source => "message"
store_xml => false
target => "stations"
xpath => [
"/stations/station/id/text()", "station_id",
"/stations/station/name/text()", "nonNy_station"
]
}
}
我的 xml 文件的结构附在下面。我想提取由 xpath 创建的字段的值和 运行 if else 条件。在某种程度上,如果 station_name 的值等于 "Finch" 那么创建一个新字段并存储在 it.Can 任何人都建议我如何实现这个
我想要实现的目标的编码版本
if "Finch" in [station_name] {
xpath => ["/station/name/text()","Ny_station"]
}
else {
xpath => ["/station/name/text()","nonNy_station"]
}
这是我的配置文件
input
{
file
{
path => "C:\Users6181152\Downloads\stations3.xml"
start_position => "beginning"
sincedb_path => "/dev/null"
exclude => "*.gz"
type => "xml"
codec => multiline {
pattern => "<stations>"
negate => "true"
what => "previous"
}
}
}
filter
{
xml
{
source => "message"
store_xml => false
target => "stations"
xpath => [
"/stations/station/id/text()", "station_id",
"/stations/station/name/text()", "station_name"
]
}
}
output
{
elasticsearch
{
codec => json
hosts => "localhost"
index => "xmlns24"
}
stdout
{
codec => rubydebug
}
}
您不能在 xml 过滤器中使用 if else 循环。但是你可以在 if else 循环中有两个 xml 过滤器,唯一的区别是 xpath 创建的变量。
此处它检查字符串 Finch 作为消息值的正则表达式模式,以决定使用哪个 xml 过滤器。
if [message] =~ "Finch" {
xml
{
source => "message"
store_xml => false
target => "stations"
xpath => [
"/stations/station/id/text()", "station_id",
"/stations/station/name/text()", "Ny_station"
]
}
} else {
{
source => "message"
store_xml => false
target => "stations"
xpath => [
"/stations/station/id/text()", "station_id",
"/stations/station/name/text()", "nonNy_station"
]
}
}