本文介绍了logstash检查字段是否存在的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有进入ELK堆栈的日志文件.我想复制一个字段(foo)以便对其执行各种更改,但是该字段(foo)并不总是存在.
I have log files coming in to an ELK stack. I want to copy a field (foo) in order to perform various mutations on it, However the field (foo) isn't always present.
如果foo不存在,则bar仍会创建,但会分配文字字符串"%{foo}"
If foo doesn't exist, then bar still gets created, but is assigned the literal string "%{foo}"
仅在字段存在的情况下如何执行突变?
How can I perform a mutation only if a field exists?
我正在尝试做这样的事情.
I'm trying to do something like this.
if ["foo"] {
mutate {
add_field => "bar" => "%{foo}
}
}
推荐答案
要检查字段foo是否存在:
To check if field foo exists:
1)对于数字类型字段,请使用:
if ([foo]) {
...
}
2)对于非数字类型(如布尔值,字符串),请使用:
if ("" in [foo]) {
...
}
这篇关于logstash检查字段是否存在的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!