Question

我正在尝试通过logstash将数据从csv文件提供给elasticsearch。我的CSV文件包含两种类型的输入REQUEST和RESPONSE。

如果输入包含＆＃34; | REQUEST |＆＃34;字符串然后它有6个标题和如果输入包含＆＃34; | RESPONSE |＆＃34;字符串然后它有9个标题

示例输入数据：

2016-04-04 01:37:36,724|INFO|RI404013736|REQUEST|PaymentVia3DS|PT160115.02516
2016-04-04 01:38:36,724|INFO|RI888993736|RESPONSE|PaymentVia3DS|PT160115.0251|556656|4498399|XYZ9

过滤器：

filter {
    if "REQUEST" in [tags] {
        csv {
            columns => ["@timestamp","LOG_TYPE","REQUEST_ID","REQUEST_TYPE","TANSACTION_TYPE","USER_IDENTIFIER"]
            separator => "|"
        }
    }

    if "RESPONSE" in [tags] {
        csv {
            columns => ["@timestamp","LOG_TYPE","REQUEST_ID","REQUEST_TYPE","TANSACTION_TYPE","USER_IDENTIFIER","CODE","ABC","ID_TYPE"]
            separator => "|"
        }
    }

}

过滤器不适用于我的数据。这样做的正确方法是什么？

Answer 1

听起来你正在寻找“消息”字段中的条件：

if [message] =~ /REQUEST/ {
    ...
}
else if [message] =~ /RESPONSE/ {
    ...
}

基于输入的CSV中的条件标头

1 个答案: