logstash grok过滤器忽略消息的某些部分
[英]logstash grok filter ignore certain parts of message
问题描述
I have a drupal watchdog log file that starts with syslog things like timestamp etc, and then has a pipe delimited number of things that I logged in watchdog. 
我有一个drupal看门狗日志文件,该文件以syslog东西(例如timestamp等)开头,然后有一个管道分隔的我登录看门狗的东西。 Now I am writing a grok filter rule to get fields out of that. 现在,我正在编写一个grok过滤器规则,以将字段排除在外。
I have a few URLs in the message body so I use %{URI:request} for instance to get those. 我在邮件正文中有一些URL,所以我例如使用%{URI:request}来获取这些%{URI:request} 。 however that creates a field named port that is always null and I don't want to throw a lot of empty fields into my elasticsearch DB so I was wodnering how I could get rid of that empty array that looks like this : "port": [null, null, null] . 但是,这将创建一个名为port的字段,该字段始终为null,并且我不想将很多空字段放入我的Elasticsearch DB中,所以我在研究如何摆脱看起来像这样的空数组: "port": [null, null, null] 。
1 个解决方案
解决方案1
1 已采纳 2015-02-26 15:31:34
If you want to unconditionally drop a field, just add a remove_field => ['port'] to you grok block. 如果要无条件删除字段,只需在grok块中添加remove_field => ['port'] 。
If you want to conditionally remove something, you can use either a ruby filter to check what is in the field before removing it, or use an if around a mutate { remove_field => ['port'] } filter. 如果要有条件地删除某些内容,则可以使用ruby过滤器在删除之前先检查字段中的内容,或者在mutate { remove_field => ['port'] }过滤器周围使用if 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.