从Logstash筛选器中的输入引用字段_Logstash_Logstash Configuration

从Logstash筛选器中的输入引用字段

logstash

从Logstash筛选器中的输入引用字段,logstash,logstash-configuration,Logstash,Logstash Configuration,我有以下输入，它是由FileBeat生成的 { "@timestamp": "2018-12-04T09:21:33.360Z", "@metadata": { "beat": "filebeat", "type": "doc", "version": "6.5.0" }, "message": "the message", "prospector": {"type": "log"}, "input": {"type": "log"}, "be

我有以下输入，它是由FileBeat生成的

{
  "@timestamp": "2018-12-04T09:21:33.360Z",
  "@metadata": {
    "beat": "filebeat",
    "type": "doc",
    "version": "6.5.0"
  },
  "message": "the message",
  "prospector": {"type": "log"},
  "input": {"type": "log"},
  "beat": {
    "name": "linuxkit-025000000001",
    "hostname": "linuxkit-025000000001",
    "version": "6.5.0"
  },
  "host": {"name": "linuxkit-025000000001"},
  "source": "/opt/foo/logs/bar.log",
  "offset": 9893715,
  "log": {"flags": ["multiline"]}
}

我想在脚本中使用

消息

字段，因此我尝试使用以下过滤器

filter {
    mutate {
        add_field => {
            "decoded_base64" => ruby {
                path => "scripts/my_script.rb"
                script_params => { "msg" => "${[message]}" }
            }
        }
    }
}

但是我不断得到

NoMethodError

引用方法“get”

logstash |[2018-12-11T14:05:47765][ERROR][logstash.agent]无法执行操作{:action=>logstash:：PipelineAction:：Create/pipeline_id:cep_logs，
：exception=>“NoMethodError”，
：message=>“的未定义方法'get'#
\你是说？getClass\n get\u class\n gem“，
：backtrace=>[“/usr/share/logstash/logstash core/lib/logstash/compiler/lscl.rb:210:in`expr'”org/jruby/RubyArray.java:2486:in`map'”/usr/share/logstash/logstash core/lib/logstash/compiler/lscl.rb:202:in`expr'”/usr/share/logstash/logstash core/lib/logstash/compiler/lscl.rb:133:in`expr'”，/org/jruby/RubyArray.java:2486:in`map，
“/usr/share/logstash/logstash core/lib/logstash/compiler/lscl.rb:97:in`expr_attributes'”/usr/share/logstash/logstash core/lib/logstash/compiler/lscl.rb:75:in`expr'，“org/jruby/RubyArray.java:2486:in`map'”/usr/share/logstash/log
stash core/lib/logstash/compiler/lscl.rb:68:in‘expr’，/usr/share/logstash/logstash core/lib/logstash/compiler/lscl.rb:47:in‘block in compile’，“org/jruby/rubyaray.java:1734:in‘each’，/usr/share/logstash/logstash core/lib/logstas
h/compiler/lscl.rb:45:in‘compile’、/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:45:in‘compile_-private’、/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:in‘compile_-graph’、/usr/share/logstash/logstash/logstash
sh core/lib/logstash/compiler.rb:11:in‘block in compile_sources’，“org/jruby/RubyArray.java:2486:in‘map’，/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in‘compile_sources’，“org/logstash/execution/AbstractPipelineE”
java:149:in'initialize'”/usr/share/logstash/logstash core/lib/logstash/pipeline.rb:22:in'initialize'”/usr/share/logstash/logstash core/lib/logstash/pipeline.rb:90:in'initialize'”/usr/share/logstash/logstash core/lib/logstash
sh/pipeline_action/create.rb:38:in'execute'“/usr/share/logstash/logstash core/lib/logstash/agent.rb:309:in'block in converge_state'”}

有人能解释一下为什么会这样吗

我不认为这有什么关系，但以防我使用的脚本

require "base64"

def register(params)
    @msg = params["msg"]
end

def filter(event)
    if @msg.matches(/<DataB64>(.*)<\/DataB64>/)
        return Base64.decode64($1)
    end
end

需要“base64”
def寄存器（参数）
@msg=params[“msg”]
结束
def过滤器（事件）
如果@msg.matches（/（.*）/）
返回Base64.decode64（$1）
结束
结束

除非我在文档中没有看到某些变化，否则您不应该使用

mutate->add\u field

运行ruby。尝试：

filter {
    ruby {
        ...
    }
}

让您的ruby代码使用

[event.set][1]

添加字段谢谢，我不知道您不能将其用作添加字段的输入。。这是我第一次使用logstash，从文档中可以看出你可以做到这一点。干杯

filter {
    ruby {
        ...
    }
}