After I use the kv plugin to parse the log, I want to filter the value further. What should I do?
my data look like below: level="2" treatment="3" cmd1="\"D:\Program Files (x86)\a\safe\modules\setup.exe\" /s /smartsilence" type="sys"
No, I need to filter all values。I used the target in the kv plugin, using ruby to pick up the target for parsing and filtering, but the target changed the original field name.
The original field name might be detail.name, but it now becomes kv.detail.name.
What should I do if I don't use target as a connection? Or after using the target in ruby,how to extract the data in the target to the root directory?
Oh, I see.
If you don't use define a target field for the KV filter, any created field is automatically created in the event root level, which is probably what you want.
Thank you very much, it can solve my problem。But I have a question, for the timestamp field, ruby will report parsing exceptions, I used the if method of filtering, is there a better way?
[ERROR][logstash.filters.ruby ] Ruby exception occurred: undefined method `include?' for 2018-09-12T02:28:45.968Z:LogStash::Timestamp
the field is like "@timestamp" => 2018-09-12T02:28:45.969Z
I setting the config look like below:
ruby {
code => "
hash = event.to_hash
hash.each { |key,value|
if key != '@timestamp' and value.include? '\"'
event.set(key, value.gsub!('\"', ''))
end
}
"
}
Filter through by if key != '@timestamp' and value.include? '\"'
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.