_ source是“ tot_rjt_file_cnt:0 @version:1 log.file.path:/home/xxx/xxx-logs/ase/load01/xxxxx.xxx.com_SORT_dis_loader_daily_rpt.loglog.offset:67,825 tot_rty_file_cnt:0 ecs.version:1.0.0agent.version:7.2.0agent.ephemeral_id:0b7a5cff-79c8-4d45-9936-9d14db9eab54agent.hostname:xxxxxx.xxxxx.com agent.id:fa4e2cd0-7ad4-“
这里我的日志文件路径是
/ home / xxxx / xxx-logs / ase / load01 / xxxxxx.xxxx.com_SORT_dis_loader_daily_rpt.log
我想用“ ase”创建新文件。添加logstash过滤器:
filter {
grok { match => { "message" => "%{WORD:timestamp}\s%{BASE10NUM:total_file_cnt:int}\s%{BASE10NUM:total_ld_ok_cnt:int}\s%{BASE10NUM:total_ld_time:float}\s%{BASE10NUM:sec_per_tot_file:float}\s%{BASE10NUM:sec_per_ld_file:float}\s%{BASE10NUM:tot_rty_file_cnt:int}\s%{BASE10NUM:tot_rjt_file_cnt:int}" }
overwrite => [ "message" ]
}
date {
locale => "en"
match => [ "timestamp", "yyyyMMdd" ]
}
if "ase" in [log.file.path] { mutate { add_field => { "site" => "ASE" } }
}
}
请您帮忙将add_field名称作为“ Site”,值是“ ASE”
谢谢。
问题来自if中的情况:
if "ase" in [log.file.path] { }
将查看数组log.file.path是否包含字符串ase,显然不是这样(因为log.file.path是not一个数组)。
如果要检查log.file.path是否包含/ase/,请使用:
if [log.file.path] =~ "\/ase\/" { }