創建新的領域與logstash

Question

我有一個名爲「作業Code.txt」

job_id=0001,description=Ship data from server to elknode1,result=OK 
job_id=0002,description=Ship data from server to elknode2,result=Error: Msg... 
job_id=0003,description=Ship data from server to elknode3,result=OK 
job_id=0004,description=Ship data from server to elknode4,result=OK 

這裏是我的.conf文件的過濾器的一部分，但它不工作的文件。我怎樣才能創建新的領域，即作業ID，說明，導致在kibana

filter{ 
grok{ match => {"message" => ["JobID: %{NOTSPACE:job_id}","description: %{NOTSPACE:description}","result: %{NOTSPACE:message}"]} 
add_field => { 
"JobID" => "%{job_id}" 
"Description" => "%{description}" 
"Message" => "%{message}" 
} 
} 
if [job_id] == "0001" { 
aggregate { 
task_id => "%{job_id}" 
code => "map['time_elasped']=0" 
map_action => "create" 
} 
} 
if [job_id] == "0003" { 
aggregate { 
task_id => "%{job_id}" 
code => "map['time_elasped']=0" 
map_action => "update" 
} 
} 
if [job_id] == "0002" { 
aggregate { 
task_id => "%{job_id}" 
code => "map['time_elasped']=0" 
map_action => "update" 
} 
} 

Answer 1

待觀察我知道這是一兩天的時候，或許你仍需要一個答案。將您的grok語句更改爲：

grok { 
     match => { "message" => "job_id=%{DATA:job_id},description=%{DATA:description},result=%{GREEDYDATA:message}" } 
} 

您不需要add_field選項，grok會爲您創建它們。 add_field選項是添加任意字段。檢查模式在https://grokdebug.herokuapp.com

另外，除非有其他消息，你想匹配，我不認爲你的彙總語句會做你想做的。