如何在logstash过滤器中获取消息的第一个char

时间:2016-01-13 12:23:26

标签: filter logstash logstash-grok

我想获取消息的第一个字符,以便应用xml或json过滤器,但我甚至不知道如何启动 ```

filter {
  if [type]=="mom_rubens" {
    if [message] = "<*" {
      xml {
        source => "message"
        store_xml => false
        xpath => [
          "/APIOS_MOM_EVENT/IDENT/NO_EMIARTE/text()", "NO_EMIARTE",
          "/APISTAT_EVENT/IDENT/NO_EMIARTE/text()", "NO_EMIARTE",
          "/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR","VECTORS",
          "/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@NAME","VECTOR_NAME",
          "/APIOS_MOM_EVENT/INFO_EVENT/SENDER/text()","SENDER",
          "/APISTAT_EVENT/INFO_EVENT/SENDER/text()","SENDER",
          "/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@ONLINE","ON_LINE",
          "/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@OFFLINE","OFF_LINE"
        ]
        target => "xml"
      }
    }
    else if [message] = "{*" {
      json {
        source => "message"
      }
    }
  }

```

if [message] =“

```

感谢您的帮助

致以最诚挚的问候,Guillaume

2 个答案:

答案 0 :(得分:1)

应该是:

if [message] =~ /^<xml/ {
    ...
}

答案 1 :(得分:0)

我认为这很好

filter {
  if [type]=="mom_rubens" {
    if ([message] =~ /^</) {
      xml {
        add_field => { "genre" => "xml" }
        source => "message"
        store_xml => false
        xpath => [
          "/APIOS_MOM_EVENT/IDENT/NO_EMIARTE/text()", "NO_EMIARTE",
          "/APISTAT_EVENT/IDENT/NO_EMIARTE/text()", "NO_EMIARTE",
          "/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR","VECTORS",
          "/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@NAME","VECTOR_NAME",
          "/APIOS_MOM_EVENT/INFO_EVENT/SENDER/text()","SENDER",
          "/APISTAT_EVENT/INFO_EVENT/SENDER/text()","SENDER",
          "/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@ONLINE","ON_LINE",
          "/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@OFFLINE","OFF_LINE"
        ]
        target => "xml"
      }
    }
    else if ([message] =~ /^{/) {
      json {
        add_field => { "genre" => "json" }
        source => "message"
      }
    }
  }

但是在json数据中,我有一个'type'字段会给我带来很多麻烦,因为它会覆盖我原来的'type field'(一旦解析了json,就不再使用mom_rubens了)

我是否有办法重命名json中的字段

{"sender":"opa","type":"update","programId":"065491-000-A","emNumber":"065491-000","reassembly":"A","programCaseCode":452,"genrePressCode":0,"kind":"SHOW","parents":[],"routingKey":"update.INTERNET.K_SHOW.ALW.PRG_ANG.PRG_ESP.C452.G0","platforms":["ALW","PRG_ANG","PRG_ESP"],"date":"2016-01-14T13:49:40+0100"}

在这种情况下,我想有typemessage而且没有类型

此致

相关问题
最新问题