Logstash

Question

我是 Logstash 的新手。目前我正在尝试解析 CSV 格式的日志。我需要用空格分隔符拆分一个字段，然后我将根据拆分结果添加新字段。

这是我需要创建的过滤器：

filter {
...
mutate {
    split => ["user", " "]
    if [user.length] == 2 {
        add_field => { "sourceUsername" => "%{user[0]}" }
        add_field => { "sourceAddress" => "%{user[1]}" }
    }
    else if [user.length] == 1 {
        add_field => { "sourceAddress" => "%{user[0]}" }
    }
}
...
}

我在 if 脚本后出错。请指教，有没有办法在mutate插件中捕获拆分结果的长度。

谢谢，赫里

Answer 1

根据您的代码示例，我假设您已完成 csv 解析，并且您已经有一个字段 user，该字段的值包含 sourceAddress 或包含 sourceUsername sourceAddress（以空格分隔）。

现在，有 lot of filters that can be used to retrieve further fields. You don't need to use the mutate filter to split the field. In this case, a more flexible approach would be the grok filter.

过滤器：

grok {
    match => {
        "user" => [ 
            "%{WORD:sourceUsername} %{IP:sourceAddress}",
            "%{WORD:sourceUsername}"
            ]
    }
}

字段 "user" => "192.168.0.99" 将导致

"sourceAddress" => "191.168.0.99".

字段 "user" => "Herry 192.168.0.99" 将导致

"sourceUsername" => "Herry", "sourceAddress" => "191.168.0.99"

当然你可以把IP改成WORD如果你的sourceAddress不是IP

Logstash - 在 mutate 中找到拆分结果的长度

Logstash - find length of split result inside mutate

elasticsearch

logstash-configuration