Logstash grok匹配过滤器的消息密钥是什么?
[英]Logstash grok match filter what is the message key?
问题描述
For almost every grok filter when using "match" the value is another hash whose key is "message". 
对于几乎所有使用“ match”的grok过滤器,该值都是另一个散列,其键为“ message”。 What is the significance of the key "message"? 关键“消息”的意义是什么?
It seems like the value portion of the hash is where all the parsing happens. 似乎散列的值部分是所有解析发生的地方。 Is this key just always message? 该密钥是否总是消息? Does the key have any affect on the outputted values? 密钥对输出值有影响吗?
filter {
grok {
match => { "message" => "%{SYSLOGBASE} %{DATA:data}" }
}
}
1 个解决方案
解决方案1
0 2018-04-06 13:00:31
In this case, message is a property of the event class. 在这种情况下,消息是事件类的属性。 An event comes from the input, ie for a STDOUT input (or any syslog file for example) each line will be a new event where message will be the actual text in that line. 事件来自输入,即对于STDOUT输入(或任何syslog文件),每一行将是一个新事件,其中message将是该行中的实际文本。
What the grok filter will do with the sample code you've given is essentially something along the lines of: grok过滤器将对您提供的示例代码执行的操作本质上类似于以下方面:
(pseudocode) (伪代码)
match(event, field, pattern)
value = event.get(field) #field = 'message'; value = the actual text
pattern.match(value)
If the match is successful it will then change the value of event.message because you do %{DATA:message} . 如果匹配成功,则将更改event.message的值,因为您执行%{DATA:message} 。
If you're interested the relevant source code is here , particularly match() and handle(). 如果您有兴趣,可以在这里找到相关的源代码,尤其是match()和handle()。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.