logstash 检查字段是否存在
[英]logstash check if field exists
问题描述
I have log files coming in to an ELK stack.
我有日志文件进入 ELK 堆栈。 I want to copy a field (foo) in order to perform various mutations on it, However the field (foo) isn't always present.我想复制一个字段 (foo) 以便对其执行各种更改,但是该字段 (foo) 并不总是存在。
If foo doesn't exist, then bar still gets created, but is assigned the literal string "%{foo}"如果 foo 不存在,则 bar 仍会被创建,但会被分配文字字符串"%{foo}"
How can I perform a mutation only if a field exists?仅当字段存在时,我如何才能执行突变?
I'm trying to do something like this.我正在尝试做这样的事情。
if ["foo"] {
mutate {
add_field => "bar" => "%{foo}
}
}
4 个解决方案
解决方案1
91 2015-05-18 19:15:07
To check if field foo exists:要检查字段 foo 是否存在:
1) For numeric type fields use: 1) 对于数字类型字段使用:
if ([foo]) {
...
}
2) For types other than numeric like boolean, string use: 2) 对于数字以外的类型,如布尔值,字符串使用:
if ("" in [foo]) {
...
}
解决方案2
41 2015-05-18 19:13:55
"foo" is a literal string. “foo”是一个文字字符串。
[foo] is a field. [foo] 是一个字段。
# technically anything that returns 'true', so good for numbers and basic strings:
if [foo] {
}
# contains a value
if [foo] =~ /.+/ {
}
解决方案3
23 2016-09-19 18:24:43
On Logstash 2.2.2, the ("" in [field]) construct does not appear to work for me.在 Logstash 2.2.2 上, ("" in [field])构造似乎对我不起作用。
if ![field] { }
does, for a non-numerical field.对于非数字字段,确实如此。
解决方案4
10 2020-06-28 00:27:34
It's 2020 and none of the above answers are quite correct.现在是 2020 年,以上答案都不完全正确。 I've been working with logstash since 2014 and expressions in filter were, are and will be a thing...自 2014 年以来,我一直在使用 logstash,过滤器中的表达式过去、现在和将来都会成为一件事......
For example, you may have a boolean field with false value and with the above solutions you may not know if false is the value of the field or the resulting value of the expression because the field doesn't exists.例如,您可能有一个带有false值的布尔字段,并且使用上述解决方案,您可能不知道false是该字段的值还是表达式的结果值,因为该字段不存在。
Workaround for checking if a field exists in all versions检查某个字段是否在所有版本中都存在的解决方法
I think all versions of logstash supports [@metadata] field.我认为所有版本的 logstash 都支持[@metadata]字段。 That is, a field that will not be visible for output plugins and lives only in the filtering state.也就是说,一个字段对输出插件不可见并且仅处于过滤状态。 So this is what I have to workaround:所以这就是我必须解决的方法:
filter {
mutate {
# we use a "temporal" field with a predefined arbitrary known value that
# lives only in filtering stage.
add_field => { "[@metadata][testField_check]" => "unknown arbitrary value" }
# we copy the field of interest into that temporal field.
# If the field doesn't exist, copy is not executed.
copy => { "testField" => "[@metadata][testField_check]" }
}
# now we now if testField didn't exists, our field will have
# the initial arbitrary value
if [@metadata][testField_check] == "unknown arbitrary value" {
# just for debugging purpouses...
mutate { add_field => { "FIELD_DID_NOT_EXISTED" => true }}
} else {
# just for debugging purpouses...
mutate { add_field => { "FIELD_DID_ALREADY_EXISTED" => true }}
}
}
Old solution for logstash prior version 7.0.0 logstash 之前版本 7.0.0 的旧解决方案
Check my issue in github .在 github 中检查我的问题。
I've been struggling a lot with expressions in logstash.我一直在为 logstash 中的表达式苦苦挣扎。 My old solution worked until version 7. This was for boolean fields, for instance:我的旧解决方案一直工作到版本 7。这是用于布尔字段,例如:
filter {
# if the field does not exists, `convert` will create it with "false" string. If
# the field exists, it will be the boolean value converted into string.
mutate { convert => { "field" => "string" } }
# This condition breaks on logstash > 7 (see my bug report). Before version 7,
# this condition will be true if a boolean field didn't exists.
if ![field] {
mutate { add_field => { "field" => false } }
}
# at this stage, we are sure field exists, so make it boolean again
mutate { convert => { "field" => "boolean" } }
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.