本文介绍了Logstash-使用Memorize插件的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
尝试使用记忆"插件,如下所示:
Trying to use the "memorize" plugin like so:
if [message] =~ /matching event/ {
grok {
match => [ "message", "%{mymatch:datetime}" ]
}
memorize {
field => [datetime]
}
}
if [message] =~ /another event/ {
mutate {
add_field => {
datetime => "%{datetime}"
}
}
}
将添加一个名为datetime的字段,但该字段仅包含文本%{datetime}".显然,我使用的插件不正确.有人可以建议如何参考存储的值吗?
A field called datetime is being added, but it only contains the text "%{datetime}". Clearly I'm using the plugin incorrectly. Can anyone advise on how to reference the memorized value please?
谢谢.
推荐答案
插件的工作方式如下:
if [message] =~ /matching event/ {
grok {
match => [ "message", "%{mymatch:datetime}" ]
}
}
# either save the datetime or add it based on last value
memorize {
field => 'datetime'
default => '00:00:00'
}
if [message] =~ /another event/ {
# datetime has already been added based on the above line
}
这篇关于Logstash-使用Memorize插件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!