传递 if 语句时出现 logstash 错误答案

【问题标题】：Error in logstash while passing if statement传递 if 语句时出现 logstash 错误
【发布时间】：2018-12-28 17:03:13
【问题描述】：

我是 logstash 的新手。当我尝试在 logstash 配置文件中添加 if 语句时，它给了我错误

如果使用的语句是：

if {await} > 10 
{ mutate {add_field => {"RULE_DATA" => "Value is above threshold"}
    add_field => {"ACTUAL_DATA" => "%{await}"}
    }
}

面临的错误如下：

[错误] 2018-07-20 16:52:21.327 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/ lib/stud/task.rb:22] 代理 - 无法执行操作 {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected #, => 之一，在第 18 行，第 10 列（字节 729）过滤后{\n grok {\n patterns_dir => [\"./patterns\"]\n match => { \"message\" => [\"%{TIME:time}%{SPACE}%{USERNAME:device}%{SPACE}%{USERNAME:tps}%{SPACE}%{SYSLOGPROG:rd_sec/s}%{SPACE}%{SYSLOGPROG:wr_sec /s}%{SPACE}%{SYSLOGPROG:avgrq-sz}%{SPACE}%{SYSLOGPROG:avgqu-sz}%{SPACE}%{NUMBER:await}%{SPACE}%{SYSLOGPROG:svctm}%{SPACE }%{SYSLOGPROG:%util}\"]\n }\n 覆盖 => [\"message\"]\n } \n if \"_grokparsefailure\" in [tags] {\n drop { }\n } \nif {await", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:42:在compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:50:incompile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:12:in block in compile_sources'", "org/jruby/RubyArray.java:2486:inmap'", "/usr/share/logstash/logstash-core/ lib/logstash/compiler.rb:11:in compile_sources'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:51:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:169:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:40:inexecute'", "/ usr/share/logstash/logstash-core/lib/logstash/agent.rb:315:in block in converge_state'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:141:inwith_pipelines'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:312:在block in converge_state'", "org/jruby/RubyArray.java:1734:ineach'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:299:in converge_state'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:166:inblock inverge_state_and_update'", "/usr/share/logstash/logstash- core/lib/logstash/agent.rb:141:in with_pipelines'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:164:inconverge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:90:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:348:inblock in execute' ", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:24:in `block in initialize'"]}

请提出导致此错误的原因。

【问题讨论】：

标签： logstash

【解决方案1】：

您有语法错误。如果您有一个字段作为名称，它会等待。像 grok parse 的输出等。使用下面的

if [await] > 10 
{ 
    mutate {
       add_field => {"RULE_DATA" => "Value is above threshold"}
       add_field => {"ACTUAL_DATA" => "%{await}"}
    }
}

【讨论】：

如果此答案解决了您的问题，请随时接受:)

【解决方案2】：

[] 不是{} 中包含的Logstash 条件表达式，请看conditional documentation 中的以下示例，

filter {
  if [action] == "login" {
    mutate { remove_field => "secret" }
  }
}

【讨论】：

是的，但是当我在方括号中关闭它时，它给出了错误“将字符串与 10 进行比较”，所以我改为大括号，这样做解决了该错误。不确定这是否正确。
action 字段中有什么内容？你能发布实际的日志吗