在
json过滤器之后,添加另一个名为的过滤器
mutate,以添加将从该
parsedJson字段中获取的两个字段。
filter { ... json { ... } mutate { add_field => { "firstname" => "%{[parsedJson][firstname]}" "lastname" => "%{[parsedJson][lastname]}" } }}对于上面的示例日志行,将得出:
{ "message" => "MyLine data={"firstname":"bob","lastname":"the builder"}", "@version" => "1", "@timestamp" => "2015-11-26T11:54:52.556Z", "host" => "iMac.local", "MyWord" => "MyLine", "parsedJson" => { "firstname" => "bob", "lastname" => "the builder" }, "firstname" => "bob", "lastname" => "the builder"}
