我的问题与logstash grok模式有关。我创建了下面的模式工作正常,但最大的问题不是字符串值。有时; “Y”和“age”可以为null,因此我的grok模式不会在elasticseach中创建任何日志。它工作不正常。我需要告诉我的格鲁克模式:
if(age is null || age i empty){
updatefield["age",0]
}
但我不知道如何制作它。顺便说说;我通过谷歌搜索检查了许多解决方案,但它与我的问题直接相关。
input {
file {
path => ["C:/log/*.log"]
start_position => "beginning"
discover_interval => 10
stat_interval => 10
sincedb_write_interval => 10
close_older => 10
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601}\|"
negate => true
what => "previous"
}
}
}
filter {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:formattedDate}.* X: %{DATA:X} Y: %{NUMBER:Y} Z: %{DATA:Z} age: %{NUMBER:age:int} "}
}
date {
timezone => "Europe/Istanbul"
match => ["TimeStamp", "ISO8601"]
}
json{
source => "request"
target => "parsedJson"
}
mutate {
remove_field => [ "path","message","tags","@version"]
}
}
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => [ "http://localhost:9200" ]
index => "logstash-%{+YYYY.MM}"
}
}
答案 0 :(得分:1)
您可以使用带有过滤器的conditionals检查字段是否存在或为空,
filter {
if ![age] or [age] == "" {
mutate {
update => { "age" => "0" }
}
}
}