Processing order
Mutations in a config file are executed in this order:
filter {
mutate {
uppercase => "message"
remove_field => [ "@timestamp", "@version", "path", "host" ]
}
}{
"message" => "192.168.124.47 - - [12/OCT/2015:07:42:21 +0900] \"GET / HTTP/1.1\" 302 -\r"
}
{
"message" => "192.168.124.47 - - [12/OCT/2015:13:42:28 +0900] \"GET /KOR/IMG/VISION.PNG HTTP/1.1\" 206 1\r"
}대문자 변경 후, 다시 소문자로 변경하는 설정 추가.
filter {
mutate {
uppercase => "message"
lowercase => "message"
remove_field => [ "@timestamp", "@version", "path", "host" ]
}
}{
"message" => "192.168.124.47 - - [12/oct/2015:07:42:21 +0900] \"get / http/1.1\" 302 -\r"
}
{
"message" => "192.168.124.47 - - [12/oct/2015:13:42:28 +0900] \"get /kor/img/vision.png http/1.1\" 206 1\r"
}uppercase, lowercase의 순서를 바꾸면?
filter {
mutate {
lowercase => "message"
uppercase => "message"
remove_field => [ "@timestamp", "@version", "path", "host" ]
}
}uppercase 옵션은 동작하지 않는다.
{
"message" => "192.168.124.47 - - [12/oct/2015:07:42:21 +0900] \"get / http/1.1\" 302 -\r"
}
{
"message" => "192.168.124.47 - - [12/oct/2015:13:42:28 +0900] \"get /kor/img/vision.png http/1.1\" 206 1\r"
}지원하지 않는 순서를 유지하고 싶다면 mutate 필터를 따로 선언해줘야 함.
filter {
mutate {
lowercase => "message"
}
mutate {
uppercase => "message"
remove_field => [ "@timestamp", "@version", "path", "host" ]
}
}{
"message" => "192.168.124.47 - - [12/OCT/2015:07:42:21 +0900] \"GET / HTTP/1.1\" 302 -\r"
}
{
"message" => "192.168.124.47 - - [12/OCT/2015:13:42:28 +0900] \"GET /KOR/IMG/VISION.PNG HTTP/1.1\" 206 1\r"
}그런데 가끔은 순서가 틀려도 잘 된다(..)
filter {
mutate {
merge => { "message" => "host" }
gsub => [ "message", "-.*", "" ]
remove_field => [ "@timestamp", "@version", "path", "host" ]
}
}{
"message" => [
[0] "192.168.124.47 ",
[1] "MHKANG"
]
}
{
"message" => [
[0] "192.168.124.47 ",
[1] "MHKANG"
]
}관련 글
댓글 없음:
댓글 쓰기