堆栈内存溢出
  简体   繁体   English

logstash-动态字段名称

[英]logstash - dynamic field names

 原文  2016-06-07 16:51:59       logstash/ elastic-stack

问题描述

I have problem with dynamics field names in my Logstash configuration. 我的Logstash配置中的动态字段名称有问题。 This is my test config: 这是我的测试配置: 

input {
generator {
    lines => [ "May 15 13:42:55 logstash puppet-agent[3551]: Finished catalog run in 43",
                "May 16 14:57:07 logstash puppet-agent[3551]: Starting Puppet client version" ]
    count => 7
}
}
filter {
   grok {
     match => [ "message", "%{SYSLOGBASE} %{WORD:log}.*" ]
   }

        if "Starting" in [log] {
        metrics {
          meter => [ "%{logsource}.%{log}" ]
          add_tag => [ "metric" ]
          add_field => { "server" => "%{logsource}" 
                        "bad" => "true" }
          clear_interval => 5
                }
       }
}
output {
        stdout { codec => rubydebug }
}

and here is my output: (just end of output) 这是我的输出:(仅输出结尾) 

{
       "message" => "May 15 13:42:55 logstash puppet-agent[3551]: Finished catalog run in 43",
      "@version" => "1",
    "@timestamp" => "2016-06-07T07:37:50.138Z",
          "host" => "logstash.test.lan",
      "sequence" => 6,
     "timestamp" => "May 15 13:42:55",
     "logsource" => "test",
       "program" => "puppet-agent",
           "pid" => "3551",
           "log" => "Finished"
}
{
       "message" => "May 16 14:57:07 logstash puppet-agent[3551]: Starting Puppet client version",
      "@version" => "1",
    "@timestamp" => "2016-06-07T07:37:50.138Z",
          "host" => "logstash.test.lan",
      "sequence" => 6,
     "timestamp" => "May 16 14:57:07",
     "logsource" => "test",
       "program" => "puppet-agent",
           "pid" => "3551",
           "log" => "Starting"
}
{
      "@version" => "1",
    "@timestamp" => "2016-06-07T07:37:50.288Z",
       "message" => "Counting: 7",
      "logstash.Starting" => {
           "count" => 7,
         "rate_1m" => 0.0,
         "rate_5m" => 0.0,
        "rate_15m" => 0.0
    },
        "server" => "%{logsource}",
           "bad" => "true",
          "tags" => [
        [0] "metric"
    ]
}

Why field server don´t have logstash as value from the input logs? 为什么现场服务器没有logtash作为输入日志中的值? %{logsource} works for meter option, so why not for add_field ? %{logsource}适用于电表选项,为什么不适用于add_field呢? Thx for help. 谢谢。

1 个解决方案

解决方案1
 0 已采纳  2016-06-15 18:38:48

When a log event is received, the SYSLOGBASE information is extracted from the content. 接收到日志事件时,将从内容中提取SYSLOGBASE信息。 This is where the %{logsource} value is defined. 这是%{logsource}值的定义位置。 If the event isn't coming from a log entry that contains SYSLOGBASE information, then logsource will be undefined. 如果事件不是来自包含SYSLOGBASE信息的日志条目,则日志源将是未定义的。

When you receive a start message, logsource is defined in scope and is added to your message. 当您收到一条开始消息时,日志源将在作用域中定义并添加到您的消息中。

The metrics plugin is generating a new message per interval. 指标插件会按时间间隔生成一条新消息。 This message is generated from scratch so it does not have the value of logsource or anything else that would normally be obtained from an individual log entry. 该消息是从头开始生成的,因此它不具有logsource的值或通常从单个日志条目中获取的任何其他值。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Logstash:基于文件名的动态字段名称 - Logstash: Dynamic field names based on filename 用logstash重命名动态字段 - Rename a dynamic field with logstash Logstash-将字段名称转换为小写 - Logstash - Convert Field Names to Lowercase 用于多个字段名称的Logstash技术 - Logstash Technique For Multiple Field Names 更改 logstash 中的动态字段值 - change dynamic field value in logstash Logstash覆盖字段名称全部小写 - Logstash coverting field names to all lowercase 匹配Logstash突变过滤器中的多个字段名称 - Match multiple field names in logstash mutate filter 如何使用logstash删除字段名称中的下划线? - How to remove underscores in field names with logstash? Logstash 从配置中动态创建字段 - Logstash dynamic create field from configuration 来自文档字段的Logstash动态索引失败 - Logstash Dynamic Index From Document Field Fails
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM