Question

我是Logstash的新手。尝试将if语句放入Logstash配置文件时，它给我错误

如果使用的语句是：

if {await} > 10 
{ mutate {add_field => {"RULE_DATA" => "Value is above threshold"}
    add_field => {"ACTUAL_DATA" => "%{await}"}
    }
}

面临的错误如下：

[错误] 2018-07-20 16：52：21.327 [Ruby-0-Thread-1：/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/ lib / stud / task.rb：22]代理-无法执行操作{：action => LogStash :: PipelineAction :: Create / pipeline_id：main，：exception =>“ LogStash :: ConfigurationError”，：message =>“期望＃，=>之一，位于第18行，过滤器之后的第10列（字节729）{\ n grok {\ npatterns_dir => [\“ ./ patterns \”] \ n match => {\“ message \” => [\“％{TIME：time}％{SPACE}％{USERNAME：device}％{SPACE}％{USERNAME：tps}％{SPACE}％{SYSLOGPROG：rd_sec / s}％{SPACE}％{SYSLOGPROG：wr_sec / s}％{SPACE}％{SYSLOGPROG：avgrq-sz}％{SPACE}％{SYSLOGPROG：avgqu-sz}％{SPACE}％{NUMBER：await}％{SPACE}％{SYSLOGPROG：svctm}％{SPACE }％{SYSLOGPROG：％util} \“] \ n} \ n覆盖=> [\”消息\“] \ n} \ n如果\ tags中的\” _ grokparsefailure \“ {\ n drop {} \ n} \ nif {await“，：backtrace => [” / usr / share / logstash / logstash-core / lib / logstash / compiler.rb：42：在compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:50:in compile_graph'“中，” / usr / share / logstash / logstash-core / lib / logstash / compiler.rb：12：在block in compile_sources'", "org/jruby/RubyArray.java:2486:in map'“中，” / usr / share / logstash / logstash-core / lib / logstash / compiler.rb：11：在compile_sources'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:51:in中初始化“”，“ /usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:169:in {{1 }}执行'“，” /usr/share/logstash/logstash-core/lib/logstash/agent.rb:315：在initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:40:in with_pipelines'“，” / usr / share / logstash / logstash-core / lib / logstash / agent.rb：312：in block in converge_state'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:141:in中的每个“”，“ / usr / share / logstash / logstash-core / lib / logstash / agent.rb：299：in block in converge_state'", "org/jruby/RubyArray.java:1734:in中的converge_state_and_update'“，” /usr/share/logstash/logstash-core/lib/logstash/agent.rb:141:in converge_state'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:166:in converge_state_and_update'“，” / usr / share / logstash / logstash-core / lib / logstash / agent.rb：90：在with_pipelines'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:164:in块中执行'“，” /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/ task.rb：24：in在“初始化块”中“”}

请提出导致此错误的原因。

Answer 1

您有语法错误。如果您有一个字段作为名称，则等待。像 grok 解析等的输出。使用下面的

if [await] > 10 
{ 
    mutate {
       add_field => {"RULE_DATA" => "Value is above threshold"}
       add_field => {"ACTUAL_DATA" => "%{await}"}
    }
}

Answer 2

用[]而不是{}括起来的Logstash条件表达式，请看以下来自conditional documentation的示例，

filter {
  if [action] == "login" {
    mutate { remove_field => "secret" }
  }
}

通过if语句

2 个答案: