stackoom
  简体   繁体   中英

Logstash grok match filter what is the message key?

 原文  2018-04-05 15:22:45       logstash/ logstash-grok

Question

For almost every grok filter when using "match" the value is another hash whose key is "message". What is the significance of the key "message"?

It seems like the value portion of the hash is where all the parsing happens. Is this key just always message? Does the key have any affect on the outputted values? 

filter {
  grok {
    match => { "message" => "%{SYSLOGBASE} %{DATA:data}" }
  }
}

1 answers

solution1
 0  2018-04-06 13:00:31

In this case, message is a property of the event class. An event comes from the input, ie for a STDOUT input (or any syslog file for example) each line will be a new event where message will be the actual text in that line.

What the grok filter will do with the sample code you've given is essentially something along the lines of:

(pseudocode) 

 match(event, field, pattern)
   value = event.get(field) #field = 'message'; value = the actual text
   pattern.match(value)

If the match is successful it will then change the value of event.message because you do %{DATA:message} .

If you're interested the relevant source code is here , particularly match() and handle().

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question logstash stopped match a grok second grok filter logstash fails to match a grok filter Filter syslog message with logstash grok filter Logstash grok match pattern for message field logstash grok filter ignore certain parts of message Logstash grok filter does not parse message grok: what is the difference between grok pattern timestamp and date filter of logstash Logstash grok match 2 patterns Logstash grok multiple match grok filter for logstash
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM