之前的nginx日志使用grok匹配,但是后來發現nginx的日志中每個值之間都使用了分隔符"|",這下就可以使用mutate來分隔出每個字段的含義,同時還減少了運算。
描述
mutate過濾器允許您對字段執行常規突變。您可以重命名,刪除,替換和修改事件中的字段。
長用配置選項:
- rename:重命令字段
- update:更新字段值,如果字段不存在,則不執行操作
- convert:將字段轉換成 其它類型
- copy:將字段復制到另一字段
- join:使用分隔符加入數組
- lowercase:將字符串轉換為小寫
- replace:用新值替換字段的值
- split:使用分隔符將字段拆分為數組。僅適用於字符串字段
- uppercase:將字符串轉換為大寫的等效字符串
官方文檔:https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html
如下使用了分隔符進行處理,分隔出來的字段的數組下標是從0開始的。
input {
file {
path => "/tmp/nginx.log"
start_position => "beginning"
}
}
filter {
mutate {
split => ["message", "|"]
add_field => {
"timestamp" => "%{[message][0]}"
"remote_addr" => "%{[message][1]}"
"request_all" => "%{[message][2]}"
"status" => "%{[message][3]}"
"body_bytes_sent" => "%{[message][4]}"
"request_time" => "%{[message][5]}"
"request_body" => "%{[message][6]}"
"http_referer" => "%{[message][7]}"
"http_user_agent" => "%{[message][8]}"
"http_x_forwarded_for" => "%{[message][9]}"
"upstream_addr" => "%{[message][10]}"
"upstream_response_time" => "%{[message][11]}"
"upstream_cache_status" => "%{[message][12]}"
"scheme" => "%{[message][13]}"
}
}
grok {
match => {
"request_all" => "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}"
}
remove_field => [ "request_all" ]
remove_field => [ "message" ]
}
convert => {
"body_bytes_sent" => "integer"
"request_time" => "integer"
}
}
output {
elasticsearch {
hosts => ["http://192.168.20.6:9200"]
index => "logstash-nginx_local"
}
}