- elasticsearch/
elasticsearch 在Logstash中提取xpath值以有条件地创建新字段
elasticsearch 在Logstash中提取xpath值以有条件地创建新字段
我的xml文件的结构附在下面。我想提取xpath创建的字段的值,并对其运行if-else条件。在某种程度上,若station_name的值等于“Finch”,则创建一个新字段并存储在其中。有人能建议我如何实现这一点吗 我试图实现的目标的编纂版本
if "Finch" in [station_name] {
xpath => ["/station/name/text()","Ny_station"]
}
else {
xpath => ["/station/name/text()","nonNy_station"]
}
input
{
file
{
path => "C:\Users\186181152\Downloads\stations3.xml"
start_position => "beginning"
sincedb_path => "/dev/null"
exclude => "*.gz"
type => "xml"
codec => multiline {
pattern => "<stations>"
negate => "true"
what => "previous"
}
}
}
filter
{
xml
{
source => "message"
store_xml => false
target => "stations"
xpath => [
"/stations/station/id/text()", "station_id",
"/stations/station/name/text()", "station_name"
]
}
}
output
{
elasticsearch
{
codec => json
hosts => "localhost"
index => "xmlns24"
}
stdout
{
codec => rubydebug
}
输入
{
文件
{
path=>“C:\Users\186181152\Downloads\stations3.xml”
开始位置=>“开始”
sincedb_path=>“/dev/null”
排除=>“*.gz”
类型=>“xml”
编解码器=>多行{
模式=>“”
否定=>“真”
什么=>“以前的”
}
}
}
滤波器
{
xml
{
source=>“消息”
store_xml=>false
目标=>“电台”
xpath=>[
“/stations/station/id/text(),“station\u id”,
/stations/station/name/text(),“station\u name”
]
}
}
输出
{
弹性搜索
{
编解码器=>json
主机=>“本地主机”
索引=>“xmlns24”
}
stdout
{
编解码器=>rubydebug
}
不能在xml筛选器中使用if-else循环。但是在if-else循环中可以有两个xml过滤器和,唯一的区别是xpath创建的变量 在这里,它检查字符串
Finchif [message] =~ "Finch" {
xml
{
source => "message"
store_xml => false
target => "stations"
xpath => [
"/stations/station/id/text()", "station_id",
"/stations/station/name/text()", "Ny_station"
]
}
} else {
{
source => "message"
store_xml => false
target => "stations"
xpath => [
"/stations/station/id/text()", "station_id",
"/stations/station/name/text()", "nonNy_station"
]
}
}
请注意添加字段。我可能没有正确理解您的问题,但我会这样做:
如果[station_name]{mutate{add_field=>{Ny_station=>“%{station_name}}}}中的“Finch”出现在[station_name]{mutation{add field=>{nonNy_station=>“{station_name}}}}}}