Filter plugins ? mutate:

filter {
    grok {
        match => [
             "message" , "s*%{IPORHOST:clientip}s+-s+-s+[%{HTTPDATE:time}]s+"%{WORD:verb}s+(?<api>(S+))?.*s+HTTP/%{NUMBER:httpversion}"s+%{NUMBER:http_status_code}s+

%{NUMBER:bytes}s+(%{BASE16FLOAT:request_time})s+%{IPORHOST:remoteip}",
              "message" ,"s*%{IPORHOST:clientip}s+-s+-s+[%{HTTPDATE:time}]s+"%{WORD:verb}s+(?<api>(S+))s+HTTP/%{NUMBER:httpversion}"s+%{NUMBER:http_status_code}s+%{NUMBER:bytes}s

+(%{BASE16FLOAT:request_time})s+%{IPORHOST:remoteip}",
             "message" ,"s*%{IPORHOST:clientip}s+-s+-s+[%{HTTPDATE:time}]s+"%{WORD:verb}s+(?<api>(S+))s+HTTP/%{NUMBER:httpversion}"s+%{NUMBER:http_status_code}s+-s

+(%{BASE16FLOAT:request_time})s+%{IPORHOST:remoteip}",
             "message","s*%{IPORHOST:clientip}s+-s+-s+[%{HTTPDATE:time}]s+"%{WORD:verb}s+(?<api>(S+))s+HTTP/%{NUMBER:httpversion}"s+%{NUMBER:http_status_code}s+-s

+(%{BASE16FLOAT:request_time})s+(%{IPORHOST:remoteip}|-)"
        ]
    }   
        mutate {
                        convert => [ "request_time", "float"]
                       add_field =>["response_time","%{request_time}"]
                        remove_field =>["request_time"]
                       add_field => [ "[@metadata][zabbix_key]" , "logstash-api-access" ]
                       add_field => [ "[@metadata][zabbix_host]" , "dr-mysql01" ]
                        add_field =>["messager","%{type}-%{message}"]
                         remove_field =>["message"]
                }


Filter plugins ? mutate:

mutate 插件 允许你执行一般的mutations 在字段上,你可以rename, remove, replace, and modify fields in your events.


简介:

插件支持下下面的配置选项:

需要的配置选项

mutate {
}