0
我一直在使用logstash來讀取一些數據庫恢復日誌。以下是一些樣本記錄。Logstash無法添加字段?
07/08/2016 6:33:22.50: START restore database
SQL2540W Restore is successful, however a warning "2539" was encountered
during Database Restore while processing in No Interrupt mode.
07/08/2016 6:33:28.93: END restore database
SQL4406W The DB2 Administration Server was started successfully.
07/08/2016 6:35:35.29: END restart server
connect reset
DB20000I The SQL command completed successfully.
07/08/2016 6:35:38.48: END p:\s6\source\system\CMD\res_uw.cmd
這是我的conf文件的過濾器部分。
if ([message] =~ /Backup successful/){
grok{
match => {"message" => ['%{GREEDYDATA:Message}'] }
}
mutate {
add_tag => "send_to_es"
add_field => {"Timestamp" => "%{GREEDYDATA:DATETIME}"}
}
}
if ([message] =~ /warning "2539"/){
grok{
match => {"message" => ['%{GREEDYDATA:Message}'] }
}
mutate {
add_tag => "send_to_es"
add_field => {"Timestamp" => "%{GREEDYDATA:DATETIME}"}
}
}
if ([message] =~ /(END p:|END P:)/){
grok{
match => {"message" => ['%{GREEDYDATA:DATETIME}:%{SPACE}END%{SPACE}%{GREEDYDATA:Mis}'] }
remove_field => "%{GREEDYDATA:Mis}"
}
mutate {
add_tag => "send_to_es"
}
}
我希望將數據「DATETIME」從我的紀錄的最後一行提取到的消息在同一時間加入到其他郵件索引。但是,它無法成功添加該字段。輸出將變成
"message": "SQL2540W Restore is successful, however a warning \"2539\" was encountered \r\r",
"@version": "1",
"@timestamp": "2016-07-12T02:28:52.337Z",
"path": "C:/CIGNA/hkiapp67_db_restore/res_uw.log",
"host": "SIMSPad",
"type": "txt",
"Message": "SQL2540W Restore is successful, however a warning \"2539\" was encountered \r\r",
"Timestamp": "%{GREEDYDATA:DATETIME}",
"tags": [
"send_to_es"
]
我怎麼能解決這個問題?
這是聚合函數也可以這樣做嗎? –
@KennedyKan從我在文檔中讀到的內容,它應該能夠做到。但我從來沒有使用過濾器,所以我可以幫助你 – baudsp