使用正则表达式从字段创建标签
Create tag from field using regex
我正在使用 logstash 收集我的 apache 日志,因此我有一个名为 request_url 的字段,其中包含如下所示的值:
POST /api_v1/services/order_service HTTP/1.1
POST /api_v2/services/user_service HTTP/1.0
我想创建包含 API 版本和服务名称的单独标签,例如
POST /api_v1/services/order_service HTTP/1.1 -> ["v1", "order_service"]
POST /api_v2/services/user_service HTTP/1.0 -> ["v2", "user_service"]
如何在 logstash 配置中实现这一点?感谢您的指点。
使用下面的grok过滤器,你可以分离出你需要的组件,然后添加合适的标签
filter {
grok {
"match" => { "message" => "%{WORD:verb} /api_%{NOTSPACE:version}/services/%{WORD:service}" }
"add_tag" => ["%{version}", "%{service}"]
}
}
您将获得的事件如下所示:
{
"message" => "POST /api_v1/services/order_service HTTP/1.1",
"@version" => "1",
"@timestamp" => "2016-06-07T02:52:01.136Z",
"host" => "iMac.local",
"verb" => "POST",
"version" => "v1",
"service" => "order_service",
"tags" => [
[0] "v1",
[1] "order_service"
]
}
我正在使用 logstash 收集我的 apache 日志,因此我有一个名为 request_url 的字段,其中包含如下所示的值:
POST /api_v1/services/order_service HTTP/1.1
POST /api_v2/services/user_service HTTP/1.0
我想创建包含 API 版本和服务名称的单独标签,例如
POST /api_v1/services/order_service HTTP/1.1 -> ["v1", "order_service"]
POST /api_v2/services/user_service HTTP/1.0 -> ["v2", "user_service"]
如何在 logstash 配置中实现这一点?感谢您的指点。
使用下面的grok过滤器,你可以分离出你需要的组件,然后添加合适的标签
filter {
grok {
"match" => { "message" => "%{WORD:verb} /api_%{NOTSPACE:version}/services/%{WORD:service}" }
"add_tag" => ["%{version}", "%{service}"]
}
}
您将获得的事件如下所示:
{
"message" => "POST /api_v1/services/order_service HTTP/1.1",
"@version" => "1",
"@timestamp" => "2016-06-07T02:52:01.136Z",
"host" => "iMac.local",
"verb" => "POST",
"version" => "v1",
"service" => "order_service",
"tags" => [
[0] "v1",
[1] "order_service"
]
}