将 if-else 与 Logstash split 结合使用
Using if-else with Logstash split
我有一个名为 description 的字符串字段,用 _ 分隔。
我拆分如下:
filter {
mutate {
split => ["description", "_"]
add_field => {"location" => "%{[description][3]}"}
}
如何检查拆分值是否为空?
我尝试过:
if !["%{[description][3]}"] {
# do something
}
if ![[description][3]] {
# do something
}
if ![description][3] {
# do something
}
None 其中有效。
目标是将新字段 location 的值作为其实际值或通用值,例如 NA。
您的 mutate split 犯了一个非常简单的错误。
这个
mutate {
split => ["description", "_"]
add_field => {"location" => "%{[description][3]}"}
}
应该是
mutate {
split => ["description"=> "_"] <=== see I removed the comma and added =>
add_field => {"location" => "%{[description][3]}"}
}
这是我用
测试的示例
filter {
mutate {
remove_field => ["headers", "@version"]
add_field => { "description" => "Python_Java_ruby_perl " }
}
mutate {
split => {"description" => "_"}
}
if [description][4] {
mutate {
add_field => {"result" => "The 4 th field exists"}
}
} else {
mutate {
add_field => {"result" => "The 4 th field DOES NOT exists"}
}
}
和控制台上的结果(因为没有第 4 个元素,它转到 else 块
{
"host" => "0:0:0:0:0:0:0:1",
"result" => "The 4 th field DOES NOT exists", <==== from else block
"@timestamp" => 2020-01-14T19:35:41.013Z,
"message" => "hello",
"description" => [
[0] "Python",
[1] "Java",
[2] "ruby",
[3] "perl "
]
}
我有一个名为 description 的字符串字段,用 _ 分隔。
我拆分如下:
filter {
mutate {
split => ["description", "_"]
add_field => {"location" => "%{[description][3]}"}
}
如何检查拆分值是否为空?
我尝试过:
if !["%{[description][3]}"] {
# do something
}
if ![[description][3]] {
# do something
}
if ![description][3] {
# do something
}
None 其中有效。
目标是将新字段 location 的值作为其实际值或通用值,例如 NA。
您的 mutate split 犯了一个非常简单的错误。
这个
mutate {
split => ["description", "_"]
add_field => {"location" => "%{[description][3]}"}
}
应该是
mutate {
split => ["description"=> "_"] <=== see I removed the comma and added =>
add_field => {"location" => "%{[description][3]}"}
}
这是我用
测试的示例filter {
mutate {
remove_field => ["headers", "@version"]
add_field => { "description" => "Python_Java_ruby_perl " }
}
mutate {
split => {"description" => "_"}
}
if [description][4] {
mutate {
add_field => {"result" => "The 4 th field exists"}
}
} else {
mutate {
add_field => {"result" => "The 4 th field DOES NOT exists"}
}
}
和控制台上的结果(因为没有第 4 个元素,它转到 else 块
{
"host" => "0:0:0:0:0:0:0:1",
"result" => "The 4 th field DOES NOT exists", <==== from else block
"@timestamp" => 2020-01-14T19:35:41.013Z,
"message" => "hello",
"description" => [
[0] "Python",
[1] "Java",
[2] "ruby",
[3] "perl "
]
}