Home > Blockchain >  What does this line mean ? (Logstash Conf & Grok Syntax)
What does this line mean ? (Logstash Conf & Grok Syntax)

Time:02-08

Hi i'm new to Logstash and Grok syntax, I'm trying to understand what are those line meaning

codec => multiline { pattern => "^{$" negate => "true" what => "previous" }

and

mutate {
                gsub => ["message", "'", '"']
        }

Thanks !

CodePudding user response:

it is pretty well explain in the official documentation of the multiline codec plugin:

  • pattern => ^{$ matches lines that only contain a { character and end immediately
  • negate => true means that line NOT matching the pattern are considered
  • what => previous means that the current matched line relates to the previous one

In summary, these settings mean that all lines that do NOT consist of only { belong to the previous line.

Concretely, this multiline filter is for putting together JSON data that was pretty-printed on several line, like this:

{
   "bla": {
       "test": 1
   }
}

The above pretty-printed JSON will be handled as if it had been printed as a single line, like this:

{ "bla": { "test": 1 } }

Regarding the second filter (mutate/gsub), it is used to replace all single quotes with double quotes.

Page link:https//www.codepudding.com/Blockchain/292968.html

Prev:json string format done differently
Next:JSON Tree structure with the key Folder on each level
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding