问题
So, I have a hostname that is being set by filebeat (and I've written a regex that should grab it), but the following isn't adding fields the way that I think it should..
grok{
patterns_dir => "/config/patterns"
match =>{ "beat.hostname" => ["%{INSTALLATION}-%{DOMAIN}-%{SERVICE}"] }
add_field => { "[installation]" => "%{INSTALLATION}"}
add_field => { "[domain]" => "%{DOMAIN}"}
add_field => { "[service]" => "%{SERVICE}"}
}
I can't seem to access beat.hostname, hostname, host or anything like that to add the fields that I want. At present the hostname is: BOS-LAP-MYNAME1
Which should be matched by:
INSTALLATION [^-]{1,3}
DOMAIN (BOS|LAP)
SERVICE (MYNAME1|TEST|12345)
Also note: I've tried the "host" "hostname" and other field names like that to no avail as well, despite those fields being available in Kibana.
回答1:
Since hostname is nested under beat you need to match against [beat][hostname] rather than beat.hostname. And to add those fields to the document use the form of %{PATTERN:fieldname} in the match parameter.
filter {
grok {
patterns_dir => ["/config/patterns"]
match => {
"[beat][hostname]" => "%{INSTALLATION:installation}-%{DOMAIN:domain}-%{SERVICE:service}"
}
}
}
来源:https://stackoverflow.com/questions/39211486/add-fields-to-logstash-based-off-of-filebeat-data