【Logstash 1.5.6】Filter-mutate

一、mutate

[root@hftest0001 logstash-1.5.6]# pwd
/opt/logstash-1.5.6

[root@hftest0001 logstash-1.5.6]# cat conf/input_file-output_console.conf
input{
	file{
		type => "cms"
		path => [ "/opt/logstash-data/input/*.log" ]
		add_field => {
			"received_at"=>"%{timestamp}"
			"received_from"=>"%{host}"
		}
	}
}


filter{
	mutate{
	        #可以随意替换上游的任何字段,如果不存在，则添加
		replace => {
		    "received_at" => "%{host}:My New Message"
                    "received_at_not_exists" => "%{host}:My New Message"
                }
                
                #修改上游field的名称
                rename => {
                    "received_from" => "from"
                }
	}
}

output{
	stdout{
		codec => rubydebug 
	}
}

[root@hftest0001 logstash-1.5.6]# ./bin/logstash -f conf/
...
...
Logstash startup completed


[root@hftest0001 ~]# echo "3" >> /opt/logstash-data/input/1.log 
{
                   "message" => "3",
                  "@version" => "1",
                "@timestamp" => "2016-02-02T06:29:08.367Z",
                      "host" => "hftest0001",
                      "path" => "/opt/logstash-data/input/1.log",
                      "type" => "cms",
               "received_at" => "hftest0001:My New Message",        => value别替换了
                      "from" => "hftest0001",                       => rename
    "received_at_not_exists" => "hftest0001:My New Message"         => field不存在，则新增field
}