logstash
尝试通过换行符分割消息(
"\n"Logstash 代码:
mutate{
split => ["traceback", "\n"]
add_field => {"traceback_last_line" => "%{[traceback][-1]}"}
}
输入:
[traceback] =
"File "<doctest...>", line 10, in <module>
lumberjack()
File "<doctest...>", line 4, in lumberjack
bright_side_of_death()
IndexError: tuple index out of range"
我使用
gsub'\n' mutate {
copy => { "traceback" => "traceback_tmp" }
}
mutate {
gsub => ["traceback_tmp", "\n", "::"]
}
mutate {
split => {"traceback_tmp" => "::"}
add_field => ["traceback_summary", "%{[traceback_tmp][-1]}"]
remove_field => ["traceback_tmp"]
}
有一种方法只使用 split。
filter {
mutate {
# It is very important that you only have a carriage return inside your quotes, no spaces, don't indent the code.
split => { "metrics" => "
" }
}