将if-else与Logstash split一起使用
我有一个名为将if-else与Logstash split一起使用,logstash,Logstash,我有一个名为description的字符串字段,用分隔 我将其拆分如下: filter { mutate { split => ["description", "_"] add_field => {"location" => "%{[description][3]}"} } 如何检查分割值是否为空 我曾尝试: if !["%{[description][3]}"] { # do something } if ![[de
description分隔
我将其拆分如下:
filter {
mutate {
split => ["description", "_"]
add_field => {"location" => "%{[description][3]}"}
}
如何检查分割值是否为空
我曾尝试:
if !["%{[description][3]}"] {
# do something
}
if ![[description][3]] {
# do something
}
if ![description][3] {
# do something
}
它们都不起作用
目标是将新字段的值location
作为其实际值或通用值,如NA
您的变异拆分操作犯了一个非常简单的错误
这个
mutate {
split => ["description", "_"]
add_field => {"location" => "%{[description][3]}"}
}
应该是
mutate {
split => ["description"=> "_"] <=== see I removed the comma and added =>
add_field => {"location" => "%{[description][3]}"}
}
控制台上的结果(因为没有第4个元素,所以转到else
block)
{
"host" => "0:0:0:0:0:0:0:1",
"result" => "The 4 th field DOES NOT exists", <==== from else block
"@timestamp" => 2020-01-14T19:35:41.013Z,
"message" => "hello",
"description" => [
[0] "Python",
[1] "Java",
[2] "ruby",
[3] "perl "
]
}
{
“主机”=>“0:0:0:0:0:0:0:0:1”,
“结果”=>“第四个字段不存在”,2020-01-14T19:35:41.013Z,
“消息”=>“你好”,
“说明”=>[
[0]“Python”,
[1] “爪哇”,
[2] “红宝石”,
[3] “perl”
]
}
您的变异拆分犯了一个非常简单的错误
这个
mutate {
split => ["description", "_"]
add_field => {"location" => "%{[description][3]}"}
}
应该是
mutate {
split => ["description"=> "_"] <=== see I removed the comma and added =>
add_field => {"location" => "%{[description][3]}"}
}
控制台上的结果(因为没有第4个元素,所以转到else
block)
{
"host" => "0:0:0:0:0:0:0:1",
"result" => "The 4 th field DOES NOT exists", <==== from else block
"@timestamp" => 2020-01-14T19:35:41.013Z,
"message" => "hello",
"description" => [
[0] "Python",
[1] "Java",
[2] "ruby",
[3] "perl "
]
}
{
“主机”=>“0:0:0:0:0:0:0:0:1”,
“结果”=>“第四个字段不存在”,2020-01-14T19:35:41.013Z,
“消息”=>“你好”,
“说明”=>[
[0]“Python”,
[1] “爪哇”,
[2] “红宝石”,
[3] “perl”
]
}