Logstash - Use of Memorize plugin

2019-02-27 17:13发布

Trying to use the "memorize" plugin like so:

            if [message] =~ /matching event/ {

                grok {
                    match => [ "message", "%{mymatch:datetime}" ]
                }

                memorize {
                    field => [datetime]
                }
            }

            if [message] =~ /another event/ {
                mutate {
                    add_field => {
                        datetime => "%{datetime}"
                    }
                }
            }

A field called datetime is being added, but it only contains the text "%{datetime}". Clearly I'm using the plugin incorrectly. Can anyone advise on how to reference the memorized value please?

Thanks.

标签： plugins logstash

1条回答

孤傲高冷的网名

2楼-- · 2019-02-27 17:37

The way that plugin works would be like this:

        if [message] =~ /matching event/ {
            grok {
                match => [ "message", "%{mymatch:datetime}" ]
            }
        }
        # either save the datetime or add it based on last value
        memorize {
           field => 'datetime'
           default => '00:00:00'
        }

        if [message] =~ /another event/ {
            # datetime has already been added based on the above line
        }

0人赞添加讨论(0) 举报

Logstash - Use of Memorize plugin

采纳回答

编辑标签

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

付费偷看金额在0.1-10元之间