0

我有一个名为“Job Code.txt”的文件

job_id=0001,description=Ship data from server to elknode1,result=OK
job_id=0002,description=Ship data from server to elknode2,result=Error: Msg...
job_id=0003,description=Ship data from server to elknode3,result=OK
job_id=0004,description=Ship data from server to elknode4,result=OK

这是我的 .conf 文件的过滤器部分,但它不起作用。如何创建新字段,即在 kibana 中看到的 jobID、描述、结果

filter{
grok{   match => {"message" => ["JobID: %{NOTSPACE:job_id}","description: %{NOTSPACE:description}","result: %{NOTSPACE:message}"]}
add_field => {
"JobID" => "%{job_id}"
"Description" => "%{description}"
"Message" => "%{message}"
}
}
if [job_id] == "0001" {
aggregate {
task_id => "%{job_id}"
code => "map['time_elasped']=0"
map_action => "create"
}
}
if [job_id] == "0003" {
aggregate {
task_id => "%{job_id}"
code => "map['time_elasped']=0"
map_action => "update"
}
}
if [job_id] == "0002" {
aggregate {
task_id => "%{job_id}"
code => "map['time_elasped']=0"
map_action => "update"
}
}
4

1 回答 1

0

我知道这已经有几天了,也许您仍然需要答案。将您的 grok 语句更改为:

grok {
      match => { "message" => "job_id=%{DATA:job_id},description=%{DATA:description},result=%{GREEDYDATA:message}" }
}

您不需要 add_field 选项,grok 将为您创建它们。add_field 选项是添加任意字段。在https://grokdebug.herokuapp.com检查模式

此外,除非您要匹配其他消息,否则我认为您拥有的汇总语句不会满足您的要求。

于 2016-05-11T17:54:30.623 回答