从Logstash筛选器中的输入引用字段
我有以下输入,它是由FileBeat生成的从Logstash筛选器中的输入引用字段,logstash,logstash-configuration,Logstash,Logstash Configuration,我有以下输入,它是由FileBeat生成的 { "@timestamp": "2018-12-04T09:21:33.360Z", "@metadata": { "beat": "filebeat", "type": "doc", "version": "6.5.0" }, "message": "the message", "prospector": {"type": "log"}, "input": {"type": "log"}, "be
{
"@timestamp": "2018-12-04T09:21:33.360Z",
"@metadata": {
"beat": "filebeat",
"type": "doc",
"version": "6.5.0"
},
"message": "the message",
"prospector": {"type": "log"},
"input": {"type": "log"},
"beat": {
"name": "linuxkit-025000000001",
"hostname": "linuxkit-025000000001",
"version": "6.5.0"
},
"host": {"name": "linuxkit-025000000001"},
"source": "/opt/foo/logs/bar.log",
"offset": 9893715,
"log": {"flags": ["multiline"]}
}
我想在脚本中使用消息
字段,因此我尝试使用以下过滤器
filter {
mutate {
add_field => {
"decoded_base64" => ruby {
path => "scripts/my_script.rb"
script_params => { "msg" => "${[message]}" }
}
}
}
}
但是我不断得到NoMethodError
引用方法“get”
logstash |[2018-12-11T14:05:47765][ERROR][logstash.agent]无法执行操作{:action=>logstash::PipelineAction::Create/pipeline_id:cep_logs,
:exception=>“NoMethodError”,
:message=>“的未定义方法'get'#
\你是说?getClass\n get\u class\n gem“,
:backtrace=>[“/usr/share/logstash/logstash core/lib/logstash/compiler/lscl.rb:210:in`expr'”org/jruby/RubyArray.java:2486:in`map'”/usr/share/logstash/logstash core/lib/logstash/compiler/lscl.rb:202:in`expr'”/usr/share/logstash/logstash core/lib/logstash/compiler/lscl.rb:133:in`expr'”,/org/jruby/RubyArray.java:2486:in`map,
“/usr/share/logstash/logstash core/lib/logstash/compiler/lscl.rb:97:in`expr_attributes'”/usr/share/logstash/logstash core/lib/logstash/compiler/lscl.rb:75:in`expr',“org/jruby/RubyArray.java:2486:in`map'”/usr/share/logstash/log
stash core/lib/logstash/compiler/lscl.rb:68:in‘expr’,/usr/share/logstash/logstash core/lib/logstash/compiler/lscl.rb:47:in‘block in compile’,“org/jruby/rubyaray.java:1734:in‘each’,/usr/share/logstash/logstash core/lib/logstas
h/compiler/lscl.rb:45:in‘compile’、/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:45:in‘compile_-private’、/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:in‘compile_-graph’、/usr/share/logstash/logstash/logstash
sh core/lib/logstash/compiler.rb:11:in‘block in compile_sources’,“org/jruby/RubyArray.java:2486:in‘map’,/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in‘compile_sources’,“org/logstash/execution/AbstractPipelineE”
java:149:in'initialize'”/usr/share/logstash/logstash core/lib/logstash/pipeline.rb:22:in'initialize'”/usr/share/logstash/logstash core/lib/logstash/pipeline.rb:90:in'initialize'”/usr/share/logstash/logstash core/lib/logstash
sh/pipeline_action/create.rb:38:in'execute'“/usr/share/logstash/logstash core/lib/logstash/agent.rb:309:in'block in converge_state'”}
有人能解释一下为什么会这样吗
我不认为这有什么关系,但以防我使用的脚本
require "base64"
def register(params)
@msg = params["msg"]
end
def filter(event)
if @msg.matches(/<DataB64>(.*)<\/DataB64>/)
return Base64.decode64($1)
end
end
需要“base64”
def寄存器(参数)
@msg=params[“msg”]
结束
def过滤器(事件)
如果@msg.matches(/(.*)/)
返回Base64.decode64($1)
结束
结束
除非我在文档中没有看到某些变化,否则您不应该使用mutate->add\u field
运行ruby。尝试:
filter {
ruby {
...
}
}
让您的ruby代码使用
[event.set][1]
添加字段谢谢,我不知道您不能将其用作添加字段的输入。。这是我第一次使用logstash,从文档中可以看出你可以做到这一点。干杯
filter {
ruby {
...
}
}