我正在使用logstash来收集我的apache日志,因此我有一个名为request_url的字段,其中包含的值如下所示:
POST /api_v1/services/order_service HTTP/1.1
POST /api_v2/services/user_service HTTP/1.0
我想创建包含API版本和服务名称的单独标签,例如
POST /api_v1/services/order_service HTTP/1.1 -> ["v1", "order_service"]
POST /api_v2/services/user_service HTTP/1.0 -> ["v2", "user_service"]
如何在logstash配置中实现此目的?谢谢你的任何指示。
答案 0 :(得分:0)
使用以下grok过滤器,您可以分离所需的组件,然后添加适当的标签
filter {
grok {
"match" => { "message" => "%{WORD:verb} /api_%{NOTSPACE:version}/services/%{WORD:service}" }
"add_tag" => ["%{version}", "%{service}"]
}
}
您将获得的事件将如下所示:
{
"message" => "POST /api_v1/services/order_service HTTP/1.1",
"@version" => "1",
"@timestamp" => "2016-06-07T02:52:01.136Z",
"host" => "iMac.local",
"verb" => "POST",
"version" => "v1",
"service" => "order_service",
"tags" => [
[0] "v1",
[1] "order_service"
]
}