如何在 logstash 过滤器中获取消息的第一个字符
How to get first char of a message in logstash filter
我想获取消息的第一个字符,以便应用 xml 或 json 过滤器,但我什至不知道如何开始
```
filter {
if [type]=="mom_rubens" {
if [message] = "<*" {
xml {
source => "message"
store_xml => false
xpath => [
"/APIOS_MOM_EVENT/IDENT/NO_EMIARTE/text()", "NO_EMIARTE",
"/APISTAT_EVENT/IDENT/NO_EMIARTE/text()", "NO_EMIARTE",
"/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR","VECTORS",
"/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@NAME","VECTOR_NAME",
"/APIOS_MOM_EVENT/INFO_EVENT/SENDER/text()","SENDER",
"/APISTAT_EVENT/INFO_EVENT/SENDER/text()","SENDER",
"/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@ONLINE","ON_LINE",
"/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@OFFLINE","OFF_LINE"
]
target => "xml"
}
}
else if [message] = "{*" {
json {
source => "message"
}
}
}
```
if [消息] = "
```
感谢您的帮助
此致,纪尧姆
应该是:
if [message] =~ /^<xml/ {
...
}
我觉得还不错
filter {
if [type]=="mom_rubens" {
if ([message] =~ /^</) {
xml {
add_field => { "genre" => "xml" }
source => "message"
store_xml => false
xpath => [
"/APIOS_MOM_EVENT/IDENT/NO_EMIARTE/text()", "NO_EMIARTE",
"/APISTAT_EVENT/IDENT/NO_EMIARTE/text()", "NO_EMIARTE",
"/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR","VECTORS",
"/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@NAME","VECTOR_NAME",
"/APIOS_MOM_EVENT/INFO_EVENT/SENDER/text()","SENDER",
"/APISTAT_EVENT/INFO_EVENT/SENDER/text()","SENDER",
"/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@ONLINE","ON_LINE",
"/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@OFFLINE","OFF_LINE"
]
target => "xml"
}
}
else if ([message] =~ /^{/) {
json {
add_field => { "genre" => "json" }
source => "message"
}
}
}
但是在 json 数据中,我有一个 'type' 字段,这给我带来了很多麻烦,因为它覆盖了我原来的 'type field' (mom_rubens 不再一旦 json 被解析)
我有办法重命名 json
中的字段吗
{"sender":"opa","type":"update","programId":"065491-000-A","emNumber":"065491-000","reassembly":"A","programCaseCode":452,"genrePressCode":0,"kind":"SHOW","parents":[],"routingKey":"update.INTERNET.K_SHOW.ALW.PRG_ANG.PRG_ESP.C452.G0","platforms":["ALW","PRG_ANG","PRG_ESP"],"date":"2016-01-14T13:49:40+0100"}
在这种情况下,我希望有 typemessage 而没有 type
此致,
我想获取消息的第一个字符,以便应用 xml 或 json 过滤器,但我什至不知道如何开始 ```
filter {
if [type]=="mom_rubens" {
if [message] = "<*" {
xml {
source => "message"
store_xml => false
xpath => [
"/APIOS_MOM_EVENT/IDENT/NO_EMIARTE/text()", "NO_EMIARTE",
"/APISTAT_EVENT/IDENT/NO_EMIARTE/text()", "NO_EMIARTE",
"/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR","VECTORS",
"/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@NAME","VECTOR_NAME",
"/APIOS_MOM_EVENT/INFO_EVENT/SENDER/text()","SENDER",
"/APISTAT_EVENT/INFO_EVENT/SENDER/text()","SENDER",
"/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@ONLINE","ON_LINE",
"/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@OFFLINE","OFF_LINE"
]
target => "xml"
}
}
else if [message] = "{*" {
json {
source => "message"
}
}
}
```
if [消息] = "
```
感谢您的帮助
此致,纪尧姆
应该是:
if [message] =~ /^<xml/ {
...
}
我觉得还不错
filter {
if [type]=="mom_rubens" {
if ([message] =~ /^</) {
xml {
add_field => { "genre" => "xml" }
source => "message"
store_xml => false
xpath => [
"/APIOS_MOM_EVENT/IDENT/NO_EMIARTE/text()", "NO_EMIARTE",
"/APISTAT_EVENT/IDENT/NO_EMIARTE/text()", "NO_EMIARTE",
"/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR","VECTORS",
"/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@NAME","VECTOR_NAME",
"/APIOS_MOM_EVENT/INFO_EVENT/SENDER/text()","SENDER",
"/APISTAT_EVENT/INFO_EVENT/SENDER/text()","SENDER",
"/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@ONLINE","ON_LINE",
"/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@OFFLINE","OFF_LINE"
]
target => "xml"
}
}
else if ([message] =~ /^{/) {
json {
add_field => { "genre" => "json" }
source => "message"
}
}
}
但是在 json 数据中,我有一个 'type' 字段,这给我带来了很多麻烦,因为它覆盖了我原来的 'type field' (mom_rubens 不再一旦 json 被解析)
我有办法重命名 json
中的字段吗{"sender":"opa","type":"update","programId":"065491-000-A","emNumber":"065491-000","reassembly":"A","programCaseCode":452,"genrePressCode":0,"kind":"SHOW","parents":[],"routingKey":"update.INTERNET.K_SHOW.ALW.PRG_ANG.PRG_ESP.C452.G0","platforms":["ALW","PRG_ANG","PRG_ESP"],"date":"2016-01-14T13:49:40+0100"}
在这种情况下,我希望有 typemessage 而没有 type
此致,