大家好,
通过logstash,我想查询elasticsearch以便从以前的事件中获取字段,并使用当前事件的字段进行一些计算并添加新字段。这是我做的:
输入文件:
{"device":"device1","count":5}
{"device":"device2","count":11}
{"device":"device1","count":8}
{"device":"device3","count":100}
{"device":"device3","count":95}
{"device":"device3","count":155}
{"device":"device2","count":15}
{"device":"device1","count":55}
我的预期输出:
{"device":"device1","count":5,"previousCount=0","delta":0}
{"device":"device2","count":11,"previousCount=0","delta":0}
{"device":"device1","count":8,"previousCount=5","delta":3}
{"device":"device3","count":100,"previousCount=0","delta":0}
{"device":"device3","count":95,"previousCount=100","delta":-5}
{"device":"device3","count":155,"previousCount=95","delta":60}
{"device":"device2","count":15,"previousCount=11","delta":4}
{"device":"device1","count":55,"previousCount=8","delta":47}
Logstash过滤器部分:
filter {
elasticsearch {
hosts => ["localhost:9200/device"]
query => 'device:"%{[device]}"'
sort => "@timestamp:desc"
fields => ['count','previousCount']
}
if [previousCount]{
ruby {
code => "event[delta] = event[count] - event[previousCount]"
}
}
else{
mutate {
add_field => { "previousCount" => "0" }
add_field => { "delta" => "0" }
}
}
}
我的问题: 对于输入文件的每一行,我收到以下错误:无法查询以前事件的elasticsearch .. 在logstash开始处理下一行之前,似乎完全处理的每一行都没有放入elasticsearch。
我不知道我的结论是否正确,如果是,为什么会发生。
那么,你知道我怎么能解决这个问题吗?!
感谢您的关注和帮助。
取值