0
我創造了這個新主題,以避免混亂,但它關係到下面的主題,這是解決:從某一領域,根據不同的內容,mofify,並將其存放在不同的新領域
Modify the content of a field using logstash
假設在名爲code的字段中,內容也是單詞,如:notification或mountain,我想要創建另一個字段code_word來存儲這些單詞。
因此,從數據庫中稱爲code的字段中,根據其內容,它將創建code_short和code_word。
我是想這樣的事情:
grok {
match => { "code" => "(?<prefix>[a-zA-Z]+)000000%{INT:suffix} %{WORD:word}" }
add_field => { "code_short" => "%{prefix}%{suffix}"}
add_field => { "code_word" => "%{word}"}
}
但顯然是行不通的:_grokparsefailure。
我不知道該怎麼做,我想知道是否可以使用像「if」這樣的條件來完成。
這是輸出:
{
"took": 5,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 43,
"max_score": 1,
"hits": [
{
"_index": "test1",
"_type": "data",
"_id": "AVo3yno0PoyZlwFEpg75",
"_score": 1,
"_source": {
"@timestamp": "2017-02-13T14:05:00.360Z",
"code": "molfix-oat",
"@version": "1",
"tags": []
}
},
{
"_index": "test1",
"_type": "data",
"_id": "AVo3yno0PoyZlwFEpg77",
"_score": 1,
"_source": {
"@timestamp": "2017-02-13T14:05:00.365Z",
"code": "PO0000002221",
"@version": "1",
"tags": []
}
},
{
"_index": "test1",
"_type": "data",
"_id": "AVo3yno0PoyZlwFEpg8C",
"_score": 1,
"_source": {
"@timestamp": "2017-02-13T14:05:00.372Z",
"code": "ST0000003302",
"@version": "1",
"tags": []
}
},
{
"_index": "test1",
"_type": "data",
"_id": "AVo3yno0PoyZlwFEpg8K",
"_score": 1,
"_source": {
"@timestamp": "2017-02-13T14:05:00.382Z",
"code": "notifications-set",
"@version": "1",
"tags": []
}
},
{
"_index": "test1",
"_type": "data",
"_id": "AVo3yno0PoyZlwFEpg8M",
"_score": 1,
"_source": {
"@timestamp": "2017-02-13T14:05:00.384Z",
"code": "PO0000001111",
"@version": "1",
"tags": []
}
},
{
"_index": "test1",
"_type": "data",
"_id": "AVo3yno0PoyZlwFEpg8N",
"_score": 1,
"_source": {
"@timestamp": "2017-02-13T14:05:00.385Z",
"code": "PO0000000808",
"@version": "1",
"tags": []
}
},
{
"_index": "test1",
"_type": "data",
"_id": "AVo3yno0PoyZlwFEpg8R",
"_score": 1,
"_source": {
"@timestamp": "2017-02-13T14:05:00.388Z",
"code": "TT0000000009",
"@version": "1",
"tags": []
}
},
{
"_index": "test1",
"_type": "data",
"_id": "AVo3yno0PoyZlwFEpg8U",
"_score": 1,
"_source": {
"@timestamp": "2017-02-13T14:05:00.391Z",
"code": "ST0000001113",
"@version": "1",
"tags": []
}
},
{
"_index": "test1",
"_type": "data",
"_id": "AVo3yno0PoyZlwFEpg8c",
"_score": 1,
"_source": {
"@timestamp": "2017-02-13T14:05:00.398Z",
"code": "test/bin/UT0",
"@version": "1",
"tags": []
}
},
{
"_index": "test1",
"_type": "data",
"_id": "AVo3yno0PoyZlwFEpg8g",
"_score": 1,
"_source": {
"@timestamp": "2017-02-13T14:05:00.400Z",
"code": "PO0000001203",
"@version": "1",
"tags": []
}
}
]
}
}
感謝您的快速reply.Now它正在創建與「code」具有相同內容的「code_word」。它不再創建格式化字段「code_short」。我試圖實現的是從給定字段「code」根據其內容生成兩個不同的字段, 「code_short」與PO1209之類的內容,以及th其他的「code_word」只有字段「code」有它的一些行。任何其他的想法,使這項工作?非常感謝 – Ubbi099
我需要看到'code'值的一個樣本不符合grok模式,那麼您需要看到存儲在'code_word'中。我看到它的方式,如果模式匹配,你只會得到'code_short',如果模式不匹配,你只會得到'code_word' – Val
會是這樣的: 字段「代碼」的例子是存儲在 「code_word」,值: molfix, notificaion燕麥, 大腦皮層,現場的樣品的 「代碼」 和實例將被存儲在 「code_short」,值格式化之前: PO0000001209, ST0000000909, 一旦存儲在「code_short」中,它們將如下所示: PO1209, ST0909, 謝謝。 – Ubbi099