我正在尝试分配"演员":" githubuser"比如$ actor =" gituser"和$ repo =" gituser / logstashreppo",如果我得到的值被赋予变量,我可以使用这里复制的exec函数执行我的脚本。请分享您的想法
整个输出是
{
_index: "logstash-2014.11.20",
_type: "syslog",
_id: "76ggV_gfWS5u2L9rcMNCWaQ",
_score: 0.35005248,
_source: {
message: "github_audit: {"actor_ip":"192.168.1.1","from":"repositories#create","actor":"gituser","repo":"gituser/logstashreppo","action":"staff.repo_route","created_at":1236483708817,"repo_id":44758,"actor_id":1033,"data":{"actor_location":{"location":{"lat":null,"lon":null}}}}",
@version: "1",
@timestamp: "2014-11-17T11:41:50.142Z",
host: "192.168.1.1",
type: "syslog",
syslog5424_pri: "190",
timestamp: "Nov 17 03:41:50",
actor_ip: "192.168.1.1",
from: "repositories#create",
actor: "gituser",
repo: "gituser/logstashrepo",
action: "staff.repo_route",
created_at: 1236483708817,
repo_id: 44758,
actor_id: 1033,
data: {
actor_location: {
location: {
lat: null,
lon: null
}
}
}
}
}
,
我的配置文件是:
filter {
grok {
match => [
"message",
"%{SYSLOG5424PRI}%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host} %{GREEDYDATA:message}"
]
overwrite => ["host", "message"]
}
if [message] =~ /^git_audit: / {
grok {
match => ["message", "^git_audit: %{GREEDYDATA:json_payload}"]
}
json {
source => "json_payload"
remove_field => "json_payload"
}
mutate {
rename => ["[json][repo]", "repo"]
remove_field => "json"
}
}
}
input {
exec {
type => "audit-log"
command => "perl test.pl $actor"
}
}
output {
elasticsearch { host => localhost }
stdout { codec => rubydebug }
}
答案 0 :(得分:0)
在exec plugin's documentation中确实有您想要的一个例子。
exec {
type => "audit-log"
command => "perl test.pl %{actor}"
}
另请参阅"sprintf format" section in the documentation of the configuration file format,但请注意%{fieldname}语法在所有字符串中都不起作用(并且没有详细记录它的工作原理以及它所处的位置&#39} ; t)的
最后,请注意,对于像exec这样的输出插件,不推荐使用type属性。你应该像这样重写它:
if [type] == "audit-log" {
exec {
command => "perl test.pl %{actor}"
}
}