请问在logstash中分割filebeat送上来的数据。
比如我想提取source 中的用户,如admin, k1 .... 还有分割message, 把时间提取出来。
有没有表达式的教程?
{
"@timestamp": "2018-02-09T02:34:35.645Z",
"@metadata": {
"beat": "filebeat",
"type": "doc",
"version": "6.1.2"
},
"source": "/home/admin/.bash_history",
"offset": 596,
"message": "#1518139792\nexit",
"tags": [
"history"
],
"prospector": {
"type": "log"
},
"beat": {
"hostname": "elk",
"version": "6.1.2",
"name": "elk"
}
}
{
"@timestamp": "2018-02-09T02:34:35.660Z",
"@metadata": {
"beat": "filebeat",
"type": "doc",
"version": "6.1.2"
},
"beat": {
"version": "6.1.2",
"name": "elk",
"hostname": "elk"
},
"source": "/home/k1/.history",
"offset": 150,
"message": "#+1518057299\nexit",
"tags": [
"history"
],
"prospector": {
"type": "log"
}
}
比如我想提取source 中的用户,如admin, k1 .... 还有分割message, 把时间提取出来。
有没有表达式的教程?
{
"@timestamp": "2018-02-09T02:34:35.645Z",
"@metadata": {
"beat": "filebeat",
"type": "doc",
"version": "6.1.2"
},
"source": "/home/admin/.bash_history",
"offset": 596,
"message": "#1518139792\nexit",
"tags": [
"history"
],
"prospector": {
"type": "log"
},
"beat": {
"hostname": "elk",
"version": "6.1.2",
"name": "elk"
}
}
{
"@timestamp": "2018-02-09T02:34:35.660Z",
"@metadata": {
"beat": "filebeat",
"type": "doc",
"version": "6.1.2"
},
"beat": {
"version": "6.1.2",
"name": "elk",
"hostname": "elk"
},
"source": "/home/k1/.history",
"offset": 150,
"message": "#+1518057299\nexit",
"tags": [
"history"
],
"prospector": {
"type": "log"
}
}
0 个回复