【Logstash 1.5.6】Filter-mutate

時間 2019-11-19

標籤 Logstash 1.5.6 filter mutate 欄目日誌分析简体版

原文原文鏈接

1、mutateshell

[root@hftest0001 logstash-1.5.6]# pwd
/opt/logstash-1.5.6

[root@hftest0001 logstash-1.5.6]# cat conf/input_file-output_console.conf
input{
	file{
		type => "cms"
		path => [ "/opt/logstash-data/input/*.log" ]
		add_field => {
			"received_at"=>"%{timestamp}"
			"received_from"=>"%{host}"
		}
	}
}


filter{
	mutate{
	        #能夠隨意替換上游的任何字段,若是不存在，則添加
		replace => {
		    "received_at" => "%{host}:My New Message"
                    "received_at_not_exists" => "%{host}:My New Message"
                }
                
                #修改上游field的名稱
                rename => {
                    "received_from" => "from"
                }
	}
}

output{
	stdout{
		codec => rubydebug 
	}
}

[root@hftest0001 logstash-1.5.6]# ./bin/logstash -f conf/
...
...
Logstash startup completed


[root@hftest0001 ~]# echo "3" >> /opt/logstash-data/input/1.log 
{
                   "message" => "3",
                  "@version" => "1",
                "@timestamp" => "2016-02-02T06:29:08.367Z",
                      "host" => "hftest0001",
                      "path" => "/opt/logstash-data/input/1.log",
                      "type" => "cms",
               "received_at" => "hftest0001:My New Message",        => value別替換了
                      "from" => "hftest0001",                       => rename
    "received_at_not_exists" => "hftest0001:My New Message"         => field不存在，則新增field
}

相關標籤/搜索

logstash+lastmodifytime

elasticsearch+logstash

日誌分析

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。