我创建了这个新主题以避免混淆,但它与以下主题有关,该主题已得到解决:
Modify the content of a field using logstash
假设在名为code的字段中,内容也是单词,例如:notification或mountain,我想创建另一个名为code_word的字段来存储这些内容词语的
因此,在数据库中名为code的字段中,根据其内容,它将创建code_short和code_word。
我正在尝试这样的事情:
grok {
match => { "code" => "(?<prefix>[a-zA-Z]+)000000%{INT:suffix} %{WORD:word}" }
add_field => { "code_short" => "%{prefix}%{suffix}"}
add_field => { "code_word" => "%{word}"}
}
但显然不起作用:_grokparsefailure。
我不知道该怎么做,我想知道是否可以使用像“if”这样的条件来完成。
这是输出:
{
"took": 5,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 43,
"max_score": 1,
"hits": [
{
"_index": "test1",
"_type": "data",
"_id": "AVo3yno0PoyZlwFEpg75",
"_score": 1,
"_source": {
"@timestamp": "2017-02-13T14:05:00.360Z",
"code": "molfix-oat",
"@version": "1",
"tags": []
}
},
{
"_index": "test1",
"_type": "data",
"_id": "AVo3yno0PoyZlwFEpg77",
"_score": 1,
"_source": {
"@timestamp": "2017-02-13T14:05:00.365Z",
"code": "PO0000002221",
"@version": "1",
"tags": []
}
},
{
"_index": "test1",
"_type": "data",
"_id": "AVo3yno0PoyZlwFEpg8C",
"_score": 1,
"_source": {
"@timestamp": "2017-02-13T14:05:00.372Z",
"code": "ST0000003302",
"@version": "1",
"tags": []
}
},
{
"_index": "test1",
"_type": "data",
"_id": "AVo3yno0PoyZlwFEpg8K",
"_score": 1,
"_source": {
"@timestamp": "2017-02-13T14:05:00.382Z",
"code": "notifications-set",
"@version": "1",
"tags": []
}
},
{
"_index": "test1",
"_type": "data",
"_id": "AVo3yno0PoyZlwFEpg8M",
"_score": 1,
"_source": {
"@timestamp": "2017-02-13T14:05:00.384Z",
"code": "PO0000001111",
"@version": "1",
"tags": []
}
},
{
"_index": "test1",
"_type": "data",
"_id": "AVo3yno0PoyZlwFEpg8N",
"_score": 1,
"_source": {
"@timestamp": "2017-02-13T14:05:00.385Z",
"code": "PO0000000808",
"@version": "1",
"tags": []
}
},
{
"_index": "test1",
"_type": "data",
"_id": "AVo3yno0PoyZlwFEpg8R",
"_score": 1,
"_source": {
"@timestamp": "2017-02-13T14:05:00.388Z",
"code": "TT0000000009",
"@version": "1",
"tags": []
}
},
{
"_index": "test1",
"_type": "data",
"_id": "AVo3yno0PoyZlwFEpg8U",
"_score": 1,
"_source": {
"@timestamp": "2017-02-13T14:05:00.391Z",
"code": "ST0000001113",
"@version": "1",
"tags": []
}
},
{
"_index": "test1",
"_type": "data",
"_id": "AVo3yno0PoyZlwFEpg8c",
"_score": 1,
"_source": {
"@timestamp": "2017-02-13T14:05:00.398Z",
"code": "test/bin/UT0",
"@version": "1",
"tags": []
}
},
{
"_index": "test1",
"_type": "data",
"_id": "AVo3yno0PoyZlwFEpg8g",
"_score": 1,
"_source": {
"@timestamp": "2017-02-13T14:05:00.400Z",
"code": "PO0000001203",
"@version": "1",
"tags": []
}
}
]
}
}
答案 0 :(得分:0)
最简单的方法是检测grokparsefailure代码并将值分配给code_word代替:
grok {
match => { "code" => "(?<prefix>[a-zA-Z]+)000000%{INT:suffix}" }
add_field => { "code_short" => "%{prefix}%{suffix}"}
}
if "_grokparsefailure" in [tags] {
mutate {
add_field => { "code_word" => "%{code}"}
remove_field => ["tags"]
}
}