为 elasticsearch 中归档的消息创建自定义 grok 模式
[英]Create custom grok pattern to message filed in elasticsearch
问题描述
I am having a query related to grok processor.
我有一个与 grok 处理器相关的查询。 For example this is my message filed例如,这是我提交的消息
{
"message":"agentId:agent003"
}
I want to Grok this and my output should me something like this我想 Grok 这个和我的 output 应该像这样
{
"message":"agentId:agent003",
"agentId":"agent003"
}
Could some one help me on this how to achieve this?有人可以帮我解决这个问题吗? If i am able to do it for one field i can manage for rest of my fields.如果我能够为一个领域做到这一点,我可以管理我领域的 rest。 Thanks in advance.提前致谢。
This is the pipeline i have created in elasticsearch这是我在 elasticsearch 中创建的管道
PUT _ingest/pipeline/dissectpipeline
{
"description" : "split message content",
"processors": [
{
"dissect": {
"field": "message",
"pattern" : "%{apm_application_message.agentId}:%{apm_application_message.agentId}"
}
}
]
}
Central management added filebeat module other config中央管理添加了filebeat模块其他配置
- pipeline:
if: ctx.first_char == '{'
name: '{< IngestPipeline "dissectpipeline" >}'
There is no error with my filebeat it's working fine but i am unable to find any field like apm_application_message.agentId in index.我的 filebeat 没有错误,它工作正常,但我无法在索引中找到像 apm_application_message.agentId 这样的任何字段。
How to make sure my pipeline working or not.如何确保我的管道正常工作。 Also if i am doing something wrong please let me know.另外,如果我做错了什么,请告诉我。
1 个解决方案
解决方案1
1 已采纳 2020-06-17 06:32:50
Instead of grok I'd suggest using the dissect filter instead with, which is more intuitive and easier to use.我建议不要使用 grok ,而是使用dissect过滤器,它更直观且更易于使用。
dissect {
mapping => {
"message" => "%{?agentId}:%{&agentId}"
}
}
If you're using Filebeat, there is also the possibility to use the dissect processor :如果您使用的是 Filebeat,也可以使用 dissect dissect :
processors:
- dissect:
tokenizer: "%{?agentId}:%{&agentId}"
field: "message"
target_prefix: ""
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.