memorize
我认为不需要为此重新打包插件。您可以使用
aggregate
过滤器实现所需的功能。
...# record host/mac in temporary mapif [action] =~ "DHCPACK" { aggregate { task_id => "%{clientip}" pre => "map['clientmac'] = event['clientmac']; map['clientname'] = event['clientname'];" map_action => "create_or_update" # timeout set to 48h timeout => 172800 }}# add host/mac where/when neededelse if [action] == "query" { aggregate { task_id => "%{clientip}" pre => "event['clientmac'] = map['clientmac']; event['clientname'] = map['clientname']" map_action => "update" }}
