filter {
grok {
patterns_dir => "/usr/local/logstash-6.3.2/vendor/bundle/jruby/2.3.0/gems/logstash-patterns-core-4.1.2/patterns" # 定义logtash中自定义模式目录所在的位置
match => {
"message" => "%{NGINX_LOGS}"
}
#match => [
# "message","%{NGINX_LOGS}",
# "message","%{USERHOST:userhost} %{USERNAME:username}"
#]
add_field => { # 新增name_%{remote_addr}_[0|1]字段
"name_%{type}_0" => "hello world 0"
"name_%{type}_1" => "hello world 1"
"name_%{type}_2" => "hello world 2"
"coerce_value" => "null"
}
remove_field => ["message"] # 删除message字段
remove_field => ["name_%{type}_0"]
}
if [request] == "HEAD / HTTP/1.0" { # 判断request字段是否匹配,如果匹配则drop进行丢弃该条信息,不传输至es
drop {}
}
geoip {
source => "remote_addr"
database => "/usr/local/src/GeoLite2-City_20180807/GeoLite2-City.mmdb"
fields => ["country_name","region_code", "city_name", "ip"]
}
mutate {
copy => { # 将原有的字段进行拷贝一份并命名
"remote_addr" => "client_addr"
}
convert => { # 将原有的字段的值进行类型转换,可转换的类型为: integer/float/string/boolean
"status" => "integer"
"request_time" => "float"
}
split => { # 将原有字段的string进行split以指定的符号(分隔符)进行分隔,分隔后变为一组数组
"remote_addr" => "."
}
join => { # 将原有字段的array进行join以指定的的符号(分隔符)进行合并,合并后变为一串字符串
"remote_addr" => "-"
}
update => { # 用于替换原有字段的值,如果原有字段不存在,则不执行任何操作,原有字段不支持使用%{}变量,但值可以调用%{}变量
"upstream_response_time" => "%{remote_addr}"
}
replace => { # 用于替换原有字段的值,如果原有字段不存在,则新增一个字段,新增的字段不支持使用%{}变量,但值可以调用%{}变量
"new_replace" => "%{remote_addr}"
}
gsub => [ # 用于替换原有字段的值,第一个元素为字段名,第二个为正则或匹配的字符串,第三个为要替换的值(只支持字符串替换操作)
"time_local", "\d{2}/[A-Za-z]{3}/[\d:]+", "this is time",
"request", "HTTP", "http"
]
rename => { # 将字段http_referer重命名为http_source
"http_referer" => "http_source"
}
}
}
LogStash6.x版本中的filter参数解析
猜你喜欢
转载自blog.csdn.net/zcc_1126/article/details/88053221
今日推荐
周排行