尝试使用“memorize”插件,如下所示:
if [message] =~ /matching event/ {
grok {
match => [ "message", "%{mymatch:datetime}" ]
}
memorize {
field => [datetime]
}
}
if [message] =~ /another event/ {
mutate {
add_field => {
datetime => "%{datetime}"
}
}
}
正在添加名为datetime的字段,但它只包含文本“%{datetime}”。显然我错误地使用了这个插件。有人可以建议如何参考记忆的价值吗?
感谢。
答案 0 :(得分:2)
插件的工作方式如下:
if [message] =~ /matching event/ {
grok {
match => [ "message", "%{mymatch:datetime}" ]
}
}
# either save the datetime or add it based on last value
memorize {
field => 'datetime'
default => '00:00:00'
}
if [message] =~ /another event/ {
# datetime has already been added based on the above line
}