如何在弹性搜索中从logstash索引自定义字段?
[英]How to index Custom field from logstash in elastic search?
问题描述
Below is my logstash config file. 
以下是我的logstash配置文件。
input {
stdin{}
}
filter {
mutate {
if(message =~ "*FF"){
add_field => { "vname" => "olive" }
}
else{
add_field => { "vname" => "popeye" }
}
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
hosts => ["localhost:9200"]
index => "servererrors"
}
}
Below image shows my kibana output. 下图显示了我的kibana输出。
http://i.stack.imgur.com/pJANQ.png http://i.stack.imgur.com/pJANQ.png
The problem is i need to filter "olive" alone. 问题是我需要单独过滤“橄榄”。 As you can see a filter in and filter off for host field but it is not available for vname field. 如您所见,对于主机字段,有一个过滤器已在其中过滤掉,但对于vname字段却不可用。
Below is my mapping file response for vname 以下是我对vname的映射文件响应
"vname": {
"type": "string",
"store": true
},
I am confused with templates and mappings. 我对模板和映射感到困惑。 Please explain clearly. 请清楚解释。
2 个解决方案
解决方案1
0 2015-12-31 10:31:28
Add "if" statement and grok plugin. 添加“ if”语句和grok插件。 You need parse this events separately. 您需要分别解析此事件。 If you show your events i can help you with filter. 如果您显示事件,我可以帮助您进行过滤。
解决方案2
0 2016-01-04 14:27:08
Based on your recent edit, it looks like you're just a little backwards on the syntax: 根据您最近的编辑,看起来您在语法上仅落后了一点:
filter {
if [myField] == "myValue" {
mutate {
add_field => { ... }
}
}
else {
mutate {
add_field => { ... }
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.