filter {
grok {
match => [
"message" , "s*%{IPORHOST:clientip}s+-s+-s+[%{HTTPDATE:time}]s+"%{WORD:verb}s+(?<api>(S+))?.*s+HTTP/%{NUMBER:httpversion}"s+%{NUMBER:http_status_code}s+
%{NUMBER:bytes}s+(%{BASE16FLOAT:request_time})s+%{IPORHOST:remoteip}",
"message" ,"s*%{IPORHOST:clientip}s+-s+-s+[%{HTTPDATE:time}]s+"%{WORD:verb}s+(?<api>(S+))s+HTTP/%{NUMBER:httpversion}"s+%{NUMBER:http_status_code}s+%{NUMBER:bytes}s
+(%{BASE16FLOAT:request_time})s+%{IPORHOST:remoteip}",
"message" ,"s*%{IPORHOST:clientip}s+-s+-s+[%{HTTPDATE:time}]s+"%{WORD:verb}s+(?<api>(S+))s+HTTP/%{NUMBER:httpversion}"s+%{NUMBER:http_status_code}s+-s
+(%{BASE16FLOAT:request_time})s+%{IPORHOST:remoteip}",
"message","s*%{IPORHOST:clientip}s+-s+-s+[%{HTTPDATE:time}]s+"%{WORD:verb}s+(?<api>(S+))s+HTTP/%{NUMBER:httpversion}"s+%{NUMBER:http_status_code}s+-s
+(%{BASE16FLOAT:request_time})s+(%{IPORHOST:remoteip}|-)"
]
}
mutate {
convert => [ "request_time", "float"]
add_field =>["response_time","%{request_time}"]
remove_field =>["request_time"]
add_field => [ "[@metadata][zabbix_key]" , "logstash-api-access" ]
add_field => [ "[@metadata][zabbix_host]" , "dr-mysql01" ]
add_field =>["messager","%{type}-%{message}"]
remove_field =>["message"]
}
Filter plugins ? mutate:
mutate 插件 允许你执行一般的mutations 在字段上,你可以rename, remove, replace, and modify fields in your events.
简介:
插件支持下下面的配置选项:
需要的配置选项
mutate {
}