我要删除otherString字段。我已经尝试过,但是没有影响。
input {
tcp {
port => "5000"
}
}
filter {
grok {
match => {"message" => "{\"serviceName\":\"%{DATA:indexName}\",\"%{DATA:otherString\"}}"}
}
json {
source => "message"
}
mutate {
remove_field => ["message", "otherString"]
add_field => { "[@metadata][index_name]" => "%{indexName}" }
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "%{[@metadata][index_name]}"
}
stdout { codec => rubydebug }
}
输出:
{
"@timestamp" => 2019-03-26T12:43:45.628Z,
"level" => "info",
"userId" => "bbs234isad2i3h4isand",
"indexName" => "bff_web",
"otherString\\" => "datetime\":\"2019-02-02 18:13:45:311\",\"userId\":\"bbs234isad2i3h4isand\",\"apiName\":\"/v1/admin/deposit/purpose\",\"apiResponseTime\":3692,\"accessedTables\":[\"-\"],\"userIP\":\"127.0.0.1\",\"reqParam\":{",
"apiResponseTime" => 3692,
"reqMethod" => "POST",
"port" => 565656,
"serviceName" => "bff_web",
"apiName" => "/v1/admin/deposit/purpose",
"@version" => "1",
"userIP" => "127.0.0.1",
"file" => "/Users/private/Desktop/arjun-git/bff-web/cashiers.server.controller.js",
"label" => "/usr/local/bin/node",
"accessedTables" => [
[0] "-"
],
"line" => "4972",
"reqParam" => {},
"host" => "2.2.2.2",
"datetime" => "2019-02-02 18:13:45:311"
}
答案 0 :(得分:0)
您的字段名称似乎是“ otherString \”,与“ otherString”不同。您可以尝试先修改该字段的命名方式还是改用mutate过滤器以匹配该特定字段的名称?