Logstash grok filter - name fields dynamically

后端未结

关注

 2  949

I\'ve got log lines in the following format and want to extract fields:

[field1: content1] [field2: content2] [field3: content3] ...

I neit

相关标签:

2条回答

鱼传尺愫

2020-12-14 04:42

Logstash Ruby Plugin can help you. :)

Here is the configuration:

input {
    stdin {}
}

filter {
    ruby {
        code => "
            fieldArray = event['message'].split('] [')
            for field in fieldArray
                field = field.delete '['
                field = field.delete ']'
                result = field.split(': ')
                event[result[0]] = result[1]
            end
        "
    }
}

output {
    stdout {
        codec => rubydebug
    }
}

With your logs:

[field1: content1] [field2: content2] [field3: content3]

This is the output:

{
   "message" => "[field1: content1] [field2: content2] [field3: content3]",
  "@version" => "1",
"@timestamp" => "2014-07-07T08:49:28.543Z",
      "host" => "abc",
    "field1" => "content1",
    "field2" => "content2",
    "field3" => "content3"
}

I have try with 4 fields, it also works.

Please note that the event in the ruby code is logstash event. You can use it to get all your event field such as message, @timestamp etc.

Enjoy it!!!

0 讨论(0)

野的像风

2020-12-14 04:51

I found another way using regex:

ruby {
    code => "
        fields = event['message'].scan(/(?<=\[)\w+: .*?(?=\](?: |$))/)
        for field in fields
            field = field.split(': ')
            event[field[0]] = field[1]
        end
    "
}

0 讨论(0)