Logstash 变异过滤器 gsub 嵌套字段
[英]Logstash mutate filter gsub nested field
问题描述
I am trying to filter some e-mails in logstash before sending it to ES.
我正在尝试在将其发送到 ES 之前过滤 logstash 中的一些电子邮件。
I have one field still containing e-mail adresses and can't gsub it by mutate filter.我有一个字段仍然包含电子邮件地址,并且无法通过 mutate 过滤器对其进行 gsub。
mutate {
gsub => [
"log", "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}", "--- FILTERED FROM LOGS ---",
"message", "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}", "--- FILTERED FROM LOGS ---"
]
}
JSON: JSON:
{
"_index": "logs-2021.03.09.11",
"_type": "doc",
"_id": "sdfsdf",
"_version": 1,
"_score": null,
"_source": {
"source": "stderr",
"@timestamp": "2021-03-09T11:39:38.413Z",
"kubernetes": {
"namespace": "sdfsdk",
"labels": {
"pod-template-hash": "sdfsdf",
"app": {
"softwear": {
"co/name": "sdfsd",
"co/domain": "sdfsdf"
}
},
"log": {
"extra_fields": {
"ctxt_response": "{\"records_id\":[{\"ext_id\":\"sdfsdf\",\"fcc_id\":sdfsdfsd,\"external_id\":\"sdfsdf\"}],\"success\":true}",
"requestDevice": "\"\"",
"ctxt_request": "{\"hash\":\"56kdfhsdfjshdkf\",\"change\":\"sdsd\",\"campaigns_id\":114,\"method\":\"sha1\",\"login\":\"test\",\"records\":[{\"emails\":[\"email-to-delete@gmail.com\"],\"external_id\":\"sdsdK\"}]}",
"ctxt_response_code": "200"
},
How can I get nested field and gsub it?我怎样才能获得嵌套字段并 gsub 呢? [log][extra_fields][ctxt_request] [日志][额外字段][ctxt_request]
1 个解决方案
解决方案1
0 2021-03-10 02:58:07
Try this:尝试这个:
mutate {
gsub => [
"[log][extra_fields][ctxt_request]", "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}", "--- FILTERED FROM LOGS ---",
"message", "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}", "--- FILTERED FROM LOGS ---"
]
}
I also noticed a possible improvement in your regex:我还注意到您的正则表达式可能有所改进:
-
[A-Za-z0-9._%+-]
-
[A-Za-z0-9\._%+-](escape the dot.character - you'll need to do this on both sides of the@)[A-Za-z0-9\._%+-](转义点.字符 - 您需要在@的两侧执行此操作)
You might also want to look at using the JSON Filter Plugin to parse the ctxt_request field - then you could just overwrite the contents of that one subfield without using gsub at all.您可能还想查看使用JSON 过滤器插件来解析ctxt_request字段 - 然后您可以完全覆盖该子字段的内容而不使用gsub 。
Here's an example of how that might work.这是一个如何工作的示例。 Caveats are a) that it hasn't been tested, b) that doing the remove_field on the JSON output might not work (although removing the source field will work if the JSON was successfully parsed), and c) that you might have other ideas for how you structure the fields. Caveats are a) that it hasn't been tested, b) that doing the remove_field on the JSON output might not work (although removing the source field will work if the JSON was successfully parsed), and c) that you might have other ideas了解如何构建字段。
json {
source => "[log][extra_fields][ctxt_request]"
target => "[log][extra_fields][parsed][ctxt_request]"
remove_field => [
"[log][extra_fields][ctxt_request]",
# remove the field completely
"[log][extra_fields][parsed][ctxt_request][records][emails]"
]
}
mutate {
# or replace it with the text from your question
replace => {
"[log][extra_fields][parsed][ctxt_request][records][emails]" =>
"--- FILTERED FROM LOGS ---"
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.