如何覆盖Kibana中的字段值?
[英]How to overwrite field value in Kibana?
问题描述
I am using Logstash to feed data into Elasticsearch and then analyzing that data with Kibana. 
我正在使用Logstash将数据提供给Elasticsearch,然后使用Kibana分析该数据。 I have a field that contains numeric identifiers. 我有一个包含数字标识符的字段。 These are not easy to read. 这些都不容易阅读。 How can I have Kibana overwrite or show a more human-readable value? 如何让Kibana覆盖或显示更具人性化的价值?
More specifically, I have a 'ip.proto' field. 更具体地说,我有一个'ip.proto'字段。 When this field contains a 6, it should be shown as 'TCP'. 当此字段包含6时,它应显示为“TCP”。 When this field contains a 7, it should be shown as 'UDP'. 当此字段包含7时,它应显示为“UDP”。
I am not sure which tool in the ELK stack I need to modify to make this happen. 我不确定我需要修改ELK堆栈中的哪个工具来实现这一点。
Thanks 谢谢
1 个解决方案
解决方案1
3 已采纳 2015-03-10 19:14:07
You can use conditionals and the mutate filter : 您可以使用条件和mutate过滤器 :
filter {
if [ip][proto] == "6" {
mutate {
replace => ["[ip][proto]", "TCP"]
}
} else if [ip][proto] == "7" {
mutate {
replace => ["[ip][proto]", "UDP"]
}
}
}
This quickly gets clumsy, and the translate filter is more elegant (and probably faster). 这很快变得笨拙,而且翻译过滤器更优雅(并且可能更快)。 Untested example: 未经测试的例子:
filter {
translate {
field => "[ip][proto]"
dictionary => {
"6" => "TCP"
"7" => "UDP"
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.