1. 首頁
  2. 問答
  3. logstash config中的變量未被替換

logstash config中的變量未被替換

2016-04-14 77 views
0

前綴中的變量都未被替換 - 爲什麼?logstash config中的變量未被替換

它正在使用舊版本的logstash(1.5.4),但不再與2.3。

output { 
    if [bucket] == "bucket1" { 
    s3 { 
     bucket => "bucket1" 
     access_key_id => "****" 
     secret_access_key => "****" 
     region => "ap-southeast-2" 
     prefix => "%{env}/%{year}/%{month}/%{day}/" 
     size_file => 50000000 #50mb 
     time_file => 1 
     codec => json_lines # save log as json line (no newlines) 
     temporary_directory => "/var/log/temp-logstash" 
     tags => ["bucket1"] 
    } 
    } 
    .. 
}

實施例的數據集(從標準輸出截取):在logstash.cfg輸出濾波器的

部分(dumps to s3

{ 
    "random_person" => "Kenneth Cumming 2016-04-14 00:53:59.777647", 
     "@timestamp" => "2016-04-14T00:53:59.917Z", 
      "host" => "192.168.99.1", 
      "year" => "2016", 
      "month" => "04", 
       "day" => "14", 
       "env" => "dev", 
      "bucket" => "bucket1" 
}

以防萬一,這裏是過濾器:

filter { 
    mutate { 
    add_field => { 
     "request_uri" => "%{[headers][request_path]}" 
    } 
    } 
    grok { 
    break_on_match => false # default behaviour is to stop matching after first match, we don't want that 
    match => { "@timestamp" => "%{NOTSPACE:date}T%{NOTSPACE:time}Z"} # break timestamp field into date and time 
    match => { "date" => "%{INT:year}-%{INT:month}-%{INT:day}"} # break date into year month and day fields 
    match => { "request_uri" => "/%{WORD:env}/%{NOTSPACE:bucket}"} # break request uri into environment and bucket fields 
    } 
    mutate { 
     remove_field => ["request_uri", "headers", "@version", "date", "time"] 
    } 

}

來源

2016-04-14 kev

+0

我期望這是一個範圍問題 - 您正在嘗試使用'date'字段來創建'year'(等),但'date'字段是在同一個grok {}節中創建的。我會在單獨的grok節中嘗試它,或者將它們合併到你真正想要的grok模式中。 –

+0

%{env}呢? – kev

回答

0

這是一個known issue該字段vari 「前綴」中不允許有ables。

來源

2016-04-14 04:15:05

+0

nigoel在2015年6月1日開通此問題並提供修復:-( – kev

相關問題

 相關問題