1、包含某字符串的日志drop
if([message] =~ “Cannot request all”){ drop {} }
2、[fields][type]
if [fields][type] == “*******” {
}
3、string转换成float
mutate {
convert => [“request_time”, “float”]
convert => [“upstream_response_time”, “float”]
}
4、添加uuid ,logstash ip
add_field => { “logstash_host” => “172.0.0.1”}
add_field => { “uuid” => “%{host[name]}_%{offset}”}