使用 ruby 过滤器创建一个新字段
Create a new field with ruby filter
所以这里的参数是一个散列,我想连接所有的键并将其存储到一个新字段中,我该如何实现?我发现可以在配置文件中使用内联 ruby 代码但是,我不知道如何分配 concat 的 return 值。
grok { match => { "request" => [ "url", "%{URIPATH:url_path}%{URIPARAM:url_params}?" ]} }
urldecode{ field => "url_path" }
mutate { gsub => ["url_params","\?","" ] }
kv {
field_split => "&"
source => "url_params"
target => "params"
}
urldecode{ field => "params" }
ruby {
code => 'pattern= params.keys.join(",")'
#Pattern should be the new field that contains the key, separated by comma
}
预期结果应为:
模式="param1,param2,param3 ... and so on"
解决方案是:
event.set('field_name', field_value)
所以这里的参数是一个散列,我想连接所有的键并将其存储到一个新字段中,我该如何实现?我发现可以在配置文件中使用内联 ruby 代码但是,我不知道如何分配 concat 的 return 值。
grok { match => { "request" => [ "url", "%{URIPATH:url_path}%{URIPARAM:url_params}?" ]} }
urldecode{ field => "url_path" }
mutate { gsub => ["url_params","\?","" ] }
kv {
field_split => "&"
source => "url_params"
target => "params"
}
urldecode{ field => "params" }
ruby {
code => 'pattern= params.keys.join(",")'
#Pattern should be the new field that contains the key, separated by comma
}
预期结果应为:
模式="param1,param2,param3 ... and so on"
解决方案是:
event.set('field_name', field_value)