logstash - 动态字段名称
问题描述:
我的Logstash配置中的动态字段名称有问题。 这是我测试的配置: logstash - 动态字段名称
input {
generator {
lines => [ "May 15 13:42:55 logstash puppet-agent[3551]: Finished catalog run in 43",
"May 16 14:57:07 logstash puppet-agent[3551]: Starting Puppet client version" ]
count => 7
}
}
filter {
grok {
match => [ "message", "%{SYSLOGBASE} %{WORD:log}.*" ]
}
if "Starting" in [log] {
metrics {
meter => [ "%{logsource}.%{log}" ]
add_tag => [ "metric" ]
add_field => { "server" => "%{logsource}"
"bad" => "true" }
clear_interval => 5
}
}
}
output {
stdout { codec => rubydebug }
}
,这里是我的输出:(刚刚结束输出)
{
"message" => "May 15 13:42:55 logstash puppet-agent[3551]: Finished catalog run in 43",
"@version" => "1",
"@timestamp" => "2016-06-07T07:37:50.138Z",
"host" => "logstash.test.lan",
"sequence" => 6,
"timestamp" => "May 15 13:42:55",
"logsource" => "test",
"program" => "puppet-agent",
"pid" => "3551",
"log" => "Finished"
}
{
"message" => "May 16 14:57:07 logstash puppet-agent[3551]: Starting Puppet client version",
"@version" => "1",
"@timestamp" => "2016-06-07T07:37:50.138Z",
"host" => "logstash.test.lan",
"sequence" => 6,
"timestamp" => "May 16 14:57:07",
"logsource" => "test",
"program" => "puppet-agent",
"pid" => "3551",
"log" => "Starting"
}
{
"@version" => "1",
"@timestamp" => "2016-06-07T07:37:50.288Z",
"message" => "Counting: 7",
"logstash.Starting" => {
"count" => 7,
"rate_1m" => 0.0,
"rate_5m" => 0.0,
"rate_15m" => 0.0
},
"server" => "%{logsource}",
"bad" => "true",
"tags" => [
[0] "metric"
]
}
为什么领域服务器鸵鸟政策有logstash作为值从输入日志? %{logsource}适用于米选项,那么为什么不为add_field? Thx寻求帮助。
答
当收到日志事件时,将从内容中提取SYSLOGBASE信息。这是定义%{logsource}值的位置。如果该事件不是来自包含SYSLOGBASE信息的日志条目,则日志源将是未定义的。
当您收到开始消息时,logsource将在范围内定义并添加到消息中。
度量插件每隔一个间隔生成一条新消息。此消息是从头开始生成的,因此它不具有logsource或任何其他通常从单个日志条目中获取的值。
是否可以做一些解决方法,以将动态数据从原始日志添加到度量标准字段? – Rohlik
不依据文档。也许是作者的增强请求或问题... https://github.com/logstash-plugins/logstash-filter-metrics/issues –