我写了一个小的工作示例来解释我的问题:
input {
stdin {
codec => "json"
}
}
filter {
mutate {
rename => { "[DictA]" => "[ZielDict]" }
rename => { "[DictB]" => "[ZielDict]" }
}
}
output {
stdout {}
}
输入
{
"DictA": {
"valueA": 123
},
"DictB": {
"valueB": 456
}
}
输出
{
"@version" => "1",
"host" => "78f85c66a671",
"@timestamp" => 2018-11-15T12:11:01.193Z,
"ZielDict" => {
"valueB" => 456
}
}
想要的输出(我不想覆盖DictA!)
{
"@version" => "1",
"host" => "78f85c66a671",
"@timestamp" => 2018-11-15T12:11:01.193Z,
"ZielDict" => {
"valueA" => 123
"valueB" => 456
}
}
因此,如您所见,我想附加到ZielDict而不是用DictB覆盖它。我该如何处理? 预先感谢!
答案 0 :(得分:1)
使用mutate.merge选项:
input {
stdin {
codec => "json"
}
}
filter {
mutate {
merge => { "DictA" => "DictB" }
}
}
output {
stdout {}
}
使用此配置,您将得到:
{
"host" => "frsred-0077",
"@timestamp" => 2018-11-15T13:54:19.923Z,
"DictA" => {
"valueB" => 456,
"valueA" => 123
},
"DictB" => {
"valueB" => 456
},
"@version" => "1"
}
您必须删除DictB字段并重命名DictA才能获得所需的输出。