Logstash系列： mutate拦截器的使用

 

目录

定位

demo

现状

增加filter

效果 

add_field、rename

update

uppercase

remove_field、remove_tag

split

replace

merge

cpoy​​​

convert字段类型转换

---

定位

对event的字段进行rename, remove, replace, and modify  

 

demo

现状

比如去掉@version、agent、ecs字段

 

增加filter

 

效果 

 

add_field、rename

filter {
    mutate {
        split => ["hostname", "."]
        add_field => { "shortHostname" => "%{hostname[0]}" }
    }

    mutate {
        rename => ["shortHostname", "hostname" ]
    }
}

update

   filter {
      mutate {
        update => { "sample" => "My new message" }
      }
    }

uppercase

   filter {
      mutate {
        uppercase => [ "fieldname" ]
      }
    }

 

 

remove_field、remove_tag

   filter {
      mutate {
        remove_field => [ "foo_%{somefield}", "my_extraneous_field" ]
      }
       
      mutate {
        remove_tag => [ "foo_%{somefield}", "sad_unwanted_tag"]
      }
    }

split

    filter {
      mutate {
         split => { "fieldname" => "," }
      }
    }

replace

    filter {
      mutate {
        replace => { "message" => "%{source_host}: My new message" }
      }
    }

 

merge

    filter {
      mutate {
         merge => { "dest_field" => "added_field" }
      }
    }

 

cpoy
​​​

filter {
      mutate {
         copy => { "source_field" => "dest_field" }
      }
    }

 

convert字段类型转换

   filter {
      mutate {
        convert => {
          "fieldname" => "integer"
          "booleanfield" => "boolean"
        }
      }
    }