小贝子编程

如何在logstash过滤器中获取消息的第一个字符



我想获得消息的firs-char,以便应用xml或json过滤器,但我甚至不知道如何启动```

filter {
  if [type]=="mom_rubens" {
    if [message] = "<*" {
      xml {
        source => "message"
        store_xml => false
        xpath => [
          "/APIOS_MOM_EVENT/IDENT/NO_EMIARTE/text()", "NO_EMIARTE",
          "/APISTAT_EVENT/IDENT/NO_EMIARTE/text()", "NO_EMIARTE",
          "/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR","VECTORS",
          "/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@NAME","VECTOR_NAME",
          "/APIOS_MOM_EVENT/INFO_EVENT/SENDER/text()","SENDER",
          "/APISTAT_EVENT/INFO_EVENT/SENDER/text()","SENDER",
          "/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@ONLINE","ON_LINE",
          "/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@OFFLINE","OFF_LINE"
        ]
        target => "xml"
      }
    }
    else if [message] = "{*" {
      json {
        source => "message"
      }
    }
  }

```

如果[message]="

```

感谢您的帮助

向Guillaume 致以最良好的问候

应该是:

if [message] =~ /^<xml/ {
    ...
}

我认为这是很好的

filter {
  if [type]=="mom_rubens" {
    if ([message] =~ /^</) {
      xml {
        add_field => { "genre" => "xml" }
        source => "message"
        store_xml => false
        xpath => [
          "/APIOS_MOM_EVENT/IDENT/NO_EMIARTE/text()", "NO_EMIARTE",
          "/APISTAT_EVENT/IDENT/NO_EMIARTE/text()", "NO_EMIARTE",
          "/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR","VECTORS",
          "/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@NAME","VECTOR_NAME",
          "/APIOS_MOM_EVENT/INFO_EVENT/SENDER/text()","SENDER",
          "/APISTAT_EVENT/INFO_EVENT/SENDER/text()","SENDER",
          "/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@ONLINE","ON_LINE",
          "/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@OFFLINE","OFF_LINE"
        ]
        target => "xml"
      }
    }
    else if ([message] =~ /^{/) {
      json {
        add_field => { "genre" => "json" }
        source => "message"
      }
    }
  }

但在json数据中,我有一个"类型"字段,这给我带来了很多麻烦,因为它覆盖了我原来的"类型字段"(一旦解析json,mom_rubens就不再存在了)

我有办法重命名json 中的字段吗

{"sender":"opa","type":"update","programId":"065491-000-A","emNumber":"065491-000","reassembly":"A","programCaseCode":452,"genrePressCode":0,"kind":"SHOW","parents":[],"routingKey":"update.INTERNET.K_SHOW.ALW.PRG_ANG.PRG_ESP.C452.G0","platforms":["ALW","PRG_ANG","PRG_ESP"],"date":"2016-01-14T13:49:40+0100"}

在这种情况下,我希望有类型的消息和没有类型的

问候,

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium