input {
file {
path => "/data/tonfay/inputlog/1.log"
}
}
filter {
mutate {
split => ["message", "#"]
add_field => {"doctime" => "%{[message][0]}"}
add_field => {"threadname" => "%{[message][1]}"}
add_field => {"level" => "%{[message][2]}"}
add_field => {"classpath" => "%{[message][3]}"}
add_field => {"contents" => "%{[message][4]}"}
}
#删除字段的value中的前后的空格
mutate {
strip => ["doctime", "threadname", "level", "classpath","contents"]
}
#对日志内容中包含换行符的替换为空格
mutate {
remove_field => "message"
gsub => ["contents","\n"," "]
}
#格式化日期,并删除doctime字段
date {
match => ["doctime", "yyyy-MM-dd HH:mm:ss.SSS" ]
remove_field => ["doctime"]
}
kv {
recursive => "true"
source => "contents"
field_split_pattern => ",,"
#重复key只保留一个
allow_duplicate_values => true
add_tag => "kvcheckout"
include_keys => ["body", "aaa","adminid","workno","taskno","citycode","lth","traceid","remoteappid","remoteip","reqseq","token","exception","userid","carid","traceid","orderid","citycode","uri","method","executetime","mqgorupname","mqnamesrvaddr","mqtopic","mqtag","cachekey","cacheobj","cacheexpire","msg1","terminalid","platenum" ]
transform_key => "lowercase"
#target => "arg"
prefix => "pre_"
}
# json_encode {
# source => "pre_body"
# target => "pre_body_sss"
# }
json {
source => "pre_body"
target => "pre_body_s2"
# add_field => {"h1" => "h1"}
add_field => {"h2" => "Hello world, from %{[pre_body_s2][receiveTime]}"}
}
if [pre_body_s2][receiveTime] {
mutate {
add_field => {"fffffff" => "%{[pre_body_s2][receiveTime]}"}
}
}
#ruby {
# code => "
# body=event.get('body')
# #event.set('body_value',body)
# a=body.split(',,')
# #a.each do |i|
# #b=a[i]
# #event.set(b,'1')
# #endi
# j = 0
# for i in a do
# j = j + 1
# #event.set('1','1'
# #print #{i}
# #print j
# #event.set(j.to_s,i)
# v = i.split('=')
# v_key = v[0]
# v_value = v[1]
# #event.set(v_key,v_value)
# end
#
# "
# }
}
output {
stdout { codec => rubydebug }
}