不为失败找理由,要为成功找方法。

logstash怎么对切割过的字段再次切割

Logstash | 作者 a505100745 | 发布于2018年05月08日 | 阅读数:5229

message显示内容如下:
"message" => "{\"http_host\": \"api.xxxx.com\", \"time_local\": \"08/May/2018:17:21:46 +0800\", \"remote_addr\": \"10.0.0.23\", \"remote_user\": \"-\", \"request\": \"GET /user/info?_time=1525771301408&access_token=xxxx-xxxx-xxxx-xxx-xxxxxxx&sign=xxxxxxxx_user_id=&_version=4.1.0&os=ios HTTP/1.1\", \"status\": \"200\", \"body_bytes_sent\": \"350\", \"http_referrer\": \"-\", \"http_user_agent\": \"%E6%8A%95%E9%A1%BE%E5%A4%A7%E5%B8%88/70815 CFNetwork/887 Darwin/17.0.0\", \"http_x_forwarded_for\": \"xx.xx.xx.xx, 10.255.0.4\", \"request_time\": \"0.005\", \"upstream_response_time\": \"0.005\"} "
}
现在对request进行第一次切割,以空格为分割附切割的,切割后分成三部分:
"request" => [
[0] "GET",
[1] "/user/info?_time=1525771301408&access_token=xxxxxx-xxxx-xxxx-xxxx-xxxxx&sign=xxxxxxxxxxxx&_user_id=&_version=4.1.0&os=ios",
[2] "HTTP/1.1"
],
然后添加三个新的字段:
"request_method" => "GET"
"request_uri" => "/user/info?_time=1525771301408&access_token=xxxxx-xxxx-xxxx-xxxx-xxxxxx&sign=xxxxxxxxxxxx&_user_id=&_version=4.1.0&os=ios",
"http_version" => "HTTP/1.1"
这几步对应的的配置文件为:
mutate {
split => ["request"," "]
add_field => ["request_method","%{request[0]}"]
add_field => ["request_uri","%{request[1]}"]
add_field => ["http_version","%{request[2]}"]
现在想要对切割后新添加的字段request_uri,再次进行切割,遇到问题,配置文件为:
mutate {
split => ["request"," "]
add_field => ["request_method","%{request[0]}"]
add_field => ["request_uri","%{request[1]}"]
add_field => ["http_version","%{request[2]}"]

split => ["request_uri","?"]
add_field => ["request_action","%{request_uri[0]}"]
add_field => ["request_parameter","%{request_uri[1]}"]
这样logstash显示的字段为:
"request_action" => "%{request_uri[0]}",
"request_parameter" => "%{request_uri[1]}",
显示不出来想要的,有哪位大神帮忙解决下吗?提供下思路,谢谢各位大神了
已邀请:

a505100745

赞同来自:

此问题已解决。

zs11366

赞同来自:

大神,请问是怎么解决的?也遇到这个问题了,能详细说下嘛

要回复问题请先登录注册