Retrieving RESTful GET parameters in logstash

南笙酒味 提交于 2019-12-05 13:37:57
Alain Collins

kv will take a URL and split out the params. This config works:

input {
    stdin { }
}

filter {
    mutate {
            add_field => { "request" => "http://aaa.bbb/get?a=1&b=2" }
    }

    kv {
            field_split => "&?"
            source => "request"
    }
}

output {
    stdout {
            codec => rubydebug
    }
}

stdout shows:

{
   "request" => "http://aaa.bbb/get?a=1&b=2",
         "a" => "1",
         "b" => "2"
}

That said, I would encourage you to create your own versions of the default URI patterns so that they set fields. You can then pass the querystring field off to kv. It's cleaner that way.

UPDATE:

For "make your own patterns", I meant to take the existing ones and modify them as needed. In logstash 1.4, installing them was as easy as putting them in a new file the 'patterns' directory; I don't know about patterns for >1.4 yet.

MY_URIPATHPARAM %{URIPATH}(?:%{URIPARAM:myuriparams})?
MY_URI %{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{MY_URIPATHPARAM})?

Then you could use MY_URI in your grok{} pattern and it would create a field called myuriparams that you could feed to kv{}.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!