我想删除otherString字段。我已经尝试过但没有影响。
input {
tcp {
port => "5000"
}
}
filter {
grok {
match => {"message" => "{"serviceName":"%{DATA:indexName}","%{DATA:otherString"}}"}
}
json {
source => "message"
}
mutate {
remove_field => ["message", "otherString"]
add_field => { "[@metadata][index_name]" => "%{indexName}" }
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "%{[@metadata][index_name]}"
}
stdout { codec => rubydebug }
}
输出:
{
"@timestamp" => 2019-03-26T12:43:45.628Z,
"level" => "info",
"userId" => "bbs234isad2i3h4isand",
"indexName" => "bff_web",
"otherString\" => "datetime":"2019-02-02 18:13:45:311","userId":"bbs234isad2i3h4isand","apiName":"/v1/admin/deposit/purpose","apiResponseTime":3692,"accessedTables":["-"],"userIP":"127.0.0.1","reqParam":{",
"apiResponseTime" => 3692,
"reqMethod" => "POST",
"port" => 565656,
"serviceName" => "bff_web",
"apiName" => "/v1/admin/deposit/purpose",
"@version" => "1",
"userIP" => "127.0.0.1",
"file" => "/Users/private/Desktop/arjun-git/bff-web/cashiers.server.controller.js",
"label" => "/usr/local/bin/node",
"accessedTables" => [
[0] "-"
],
"line" => "4972",
"reqParam" => {},
"host" => "2.2.2.2",
"datetime" => "2019-02-02 18:13:45:311"
}
似乎您的字段名称是"otherString\",这与"otherString"不同。您能否尝试首先修复该字段的命名方式,或者调整突变过滤器以匹配该特定字段名称?