您好我正在使用kv过滤器来分割我的字符串我想知道如何在分割em后放置值。例如:
我的日志如下所示:
47.30.221.46 - - [04/Sep/2017:13:24:44 +0530] "GET /api/v1.2/places/search/json?username=gaurav.saxena889&location=28.5506382,77.2689024&query=sunrise%20hy&explain=true&bridge=true HTTP/1.1" 200 2522 45402
47.30.221.46 - - [04/Sep/2017:13:24:46 +0530] "GET /api/v1.2/places/search/json?username=gaurav.saxena889&location=28.5506382,77.2689024&query=hy&explain=true&bridge=true HTTP/1.1" 200 2169 55267
47.30.221.46 - - [04/Sep/2017:13:24:47 +0530] "GET /api/v1.2/places/search/json?username=gaurav.saxena889&location=28.5506382,77.2689024&query=hyun&explain=true&bridge=true HTTP/1.1" 200 2530 29635
47.30.221.46 - - [04/Sep/2017:13:24:47 +0530] "GET /api/v1.2/places/search/json?username=gaurav.saxena889&location=28.5506382,77.2689024&query=hyunda&explain=true&bridge=true HTTP/1.1" 200 2572 25449
47.30.221.46 - - [04/Sep/2017:13:24:48 +0530] "GET /api/v1.2/places/search/json?username=gaurav.saxena889&location=28.5506382,77.2689024&query=hyundai&explain=true&bridge=true HTTP/1.1" 200 3576 28007
47.30.221.46 - - [04/Sep/2017:13:24:58 +0530] "GET /api/v1.2/places/search/json?username=gaurav.saxena889&location=28.5506382,77.2689024&query=su&explain=true&bridge=true HTTP/1.1" 200 2354 96861
47.30.221.46 - - [04/Sep/2017:13:24:58 +0530] "GET /api/v1.2/places/search/json?username=gaurav.saxena889&location=28.5506382,77.2689024&query=sun&explain=true&bridge=true HTTP/1.1" 200 3224 50897
我的logstash配置文件如下所示:
input {
beats {
port => 5044
client_inactivity_timeout => 86400
}
}
filter {
grok {
match => {
"message" => "%{IPORHOST:client_ip} %{HTTPDUSER:ident} %{HTTPDUSER:auth} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:method} /api/v%{NUMBER:version}/%{DATA:resource}/%{DATA:subresource}/%{DATA:response_type}\?%{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response_code} (?:%{NUMBER:data_transfered}|-) %{NUMBER:response_time}"
}
}
kv {
source => "request"
field_split => "&"
}
if [query] {
mutate {
rename => { "query" => "searched_keword" }
}
} else if [keyword] {
mutate {
rename => { "keyword" => "searched_keyword" }
}
}
if [refLocation] {
mutate {
rename => { "refLocation" => "location" }
}
}
mutate {
convert => { "response_code" => "integer" }
}
mutate {
convert => { "data_transfered" => "integer" }
}
mutate {
convert => { "version" => "float" }
}
mutate {
convert => { "response_time" => "integer" }
}
if [location] {
kv {
source => "location"
value_split => ","
}
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "logstash_apachelogs"
document_type => "log"
}
}
如果您查看了上一个kv过滤器,我会将我的位置值与,分开。我有两个问题:
如果您从日志中看到我使用kv过滤器location=28.5506382,77.2689024我使用,分割值现在如何在goip过滤器中使用分割值vaues如下:
geoip { source => “ClientIP” target => “geoip的” add_field => [“[geoip] [coordinates]”,“%{[geoip] [经度]}”] add_field => [“[geoip] [coordinates]”,“%{[geoip] [latitude]}”] }
如何使用空格替换查询参数中的%20?