用ruby过滤器创建一个新字段

时间:2019-01-30 09:38:59

标签: ruby logstash logstash-grok logstash-configuration

因此,这里的params是一个哈希,我想将所有键连接起来并将其存储到新字段中,如何实现呢?我发现可以在配置文件中使用嵌入式红宝石代码,但是,我不知道如何分配concat的返回值。 

grok { match => { "request" => [ "url", "%{URIPATH:url_path}%{URIPARAM:url_params}?" ]} }
  urldecode{ field => "url_path" }
  mutate { gsub =>  ["url_params","\?","" ] }
  kv {
    field_split => "&"
    source => "url_params"
    target => "params"
  }
  urldecode{ field => "params" }

  ruby {
    code => 'pattern= params.keys.join(",")'
    #Pattern should be the new field that contains the key, separated by comma
  }

预期结果应该是:

pattern =“ param1,param2,param3 ...依此类推”

1 个答案:

答案 0 :(得分:0)

解决方案是:

event.set('field_name', field_value)
相关问题
最新问题