Lostash event API详解

来源：互联网发布：cf36 2检测到数据异常编辑：程序博客网时间：2024/06/05 21:56

我们使用Logstash的ruby filter时，不可避免地要对event进行处理。然而蛋疼的是，Elastic的官方文档https://www.elastic.co/guide/en/logstash/5.6/event-api.html只给出了get和set两个方法的描述。exm？
文档没有，只能看源码了。Event API的描述位于https://github.com/elastic/logstash/blob/master/logstash-core/src/main/java/org/logstash/ext/JrubyEventExtLibrary.java，除了基本的get和set外，还提供了丰富的接口。我们能用到的方法包括：

删除事件：cancel
取消删除事件：uncancel
是否删除：cancelled?
是否包含字段：include?
删除字段：remove
事件转字符串：to_s
事件转hash字典（不含metadata字段）：to_hash
事件转hash字典（含metadata字段）：to_hash_with_metadata
事件转json字符串：to_json
增加tag：tag
取事件时间戳：timestamp

为直观展示各个方法的作用，我们写一个测试配置文件，对这些方法进行测试：

input {    stdin {        codec => json    }}filter {    ruby {        code => '            event.cancel            event.set("cancelled", event.cancelled?)            event.uncancel            event.set("include", event.include?("hello"))            event.remove("hello")            event.set("to_s", event.to_s)            event.set("to_hash", event.to_hash)            event.set("to_hash_with_metadata", event.to_hash_with_metadata)            event.set("to_json", event.to_json)            event.tag("_test_tag")            event.set("timestamp", event.timestamp)        '    }}output {    stdout {        codec => rubydebug    }}

测试结果如下。可见，上述方法都能被正常调用。

[root@Miix ~]# logstash -f test.conf
Sending Logstash’s logs to /var/log/logstash which is now configured via log4j2.properties
The stdin plugin is now waiting for input:
{“hello”:”world”}
{
“include” => true,
“@timestamp” => 2017-09-23T05:26:40.265Z,
“to_json” => “{\”include\”:true,\”@timestamp\”:\”2017-09-23T05:26:40.265Z\”,\”to_hash_with_metadata\”:{\”include\”:true,\”@timestamp\”:\”2017-09-23T05:26:40.265Z\”,\”@version\”:\”1\”,\”host\”:\”Miix.mvpboss1004.com\”,\”cancelled\”:true,\”to_s\”:\”2017-09-23T05:26:40.265Z Miix.mvpboss1004.com %{message}\”,\”to_hash\”:{\”include\”:true,\”@timestamp\”:\”2017-09-23T05:26:40.265Z\”,\”@version\”:\”1\”,\”host\”:\”Miix.mvpboss1004.com\”,\”cancelled\”:true,\”to_s\”:\”2017-09-23T05:26:40.265Z Miix.mvpboss1004.com %{message}\”}},\”@version\”:\”1\”,\”host\”:\”Miix.mvpboss1004.com\”,\”cancelled\”:true,\”to_s\”:\”2017-09-23T05:26:40.265Z Miix.mvpboss1004.com %{message}\”,\”to_hash\”:{\”include\”:true,\”@timestamp\”:\”2017-09-23T05:26:40.265Z\”,\”@version\”:\”1\”,\”host\”:\”Miix.mvpboss1004.com\”,\”cancelled\”:true,\”to_s\”:\”2017-09-23T05:26:40.265Z Miix.mvpboss1004.com %{message}\”}}”,
“to_hash_with_metadata” => {
“include” => true,
“@timestamp” => 2017-09-23T05:26:40.265Z,
“@version” => “1”,
“host” => “Miix.mvpboss1004.com”,
“cancelled” => true,
“to_s” => “2017-09-23T05:26:40.265Z Miix.mvpboss1004.com %{message}”,
“to_hash” => {
“include” => true,
“@timestamp” => 2017-09-23T05:26:40.265Z,
“@version” => “1”,
“host” => “Miix.mvpboss1004.com”,
“cancelled” => true,
“to_s” => “2017-09-23T05:26:40.265Z Miix.mvpboss1004.com %{message}”
}
},
“@version” => “1”,
“host” => “Miix.mvpboss1004.com”,
“cancelled” => true,
“to_s” => “2017-09-23T05:26:40.265Z Miix.mvpboss1004.com %{message}”,
“to_hash” => {
“include” => true,
“@timestamp” => 2017-09-23T05:26:40.265Z,
“@version” => “1”,
“host” => “Miix.mvpboss1004.com”,
“cancelled” => true,
“to_s” => “2017-09-23T05:26:40.265Z Miix.mvpboss1004.com %{message}”
},
“tags” => [
[0] “_test_tag”
],
“timestamp” => 2017-09-23T05:26:40.265Z
}

阅读全文

0 0