Rules for Configuring Parsers
The tenant-side data collection uses custom Logstash collectors for data transmission. Parsers mainly work as codeless filters in Logstash. Currently, the following types of Logstash filter plugins are supported.
Parser |
Plug-in in Logstash |
Description |
---|---|---|
Key-Value filter |
kv |
Parses key-value pairs. For details about parsing rules, see Table 2. |
Mutate filter |
mutate |
Performs general mutations on fields. For details about parsing rules, see Table 3. |
Grok filter |
grok |
Parses regular expressions. For details about parsing rules, see Table 4. |
Date filter |
date |
Parses the date. For details about parsing rules, see Table 5. |
Drop filter |
drop |
Deletes packets. There is no specific rule. If you use this parser, logs received will be deleted. |
Prune filter |
prune |
Parses blacklists and whitelists. For details about parsing rules, see Table 6. |
CSV filter |
csv |
Parses the CSV data. For details about parsing rules, see Table 7. |
Function filter |
ruby |
Executes ruby code. For details about parsing rules, see Table 8. |
JSON filter |
json |
Converts the JSON data. For details about parsing rules, see Table 9. |
Split filter |
split |
Splits data. For details about parsing rules, see Table 10. |
Clone filter |
clone |
Duplicates data. For details about parsing rules, see Table 11. |
UUID filter |
uuid |
Parses UUIDs. For details about parsing rules, see Table 12. |
Parsing Rule |
Logstash Settings |
Type |
Default Value |
Mandatory |
Description |
---|---|---|---|---|---|
Source |
source |
string |
source |
Yes |
Defines the fields to be translated. |
Target |
target |
string |
message |
No |
Defines the target fields. |
Field_split |
field_split |
string |
, |
No |
Splits fields. |
Value_split |
value_split |
string |
= |
No |
Splits fields. |
Trim_key |
trim_key |
string |
-- |
No |
Removes spaces from the key. |
Trim_value |
trim_value |
string |
-- |
No |
Removes spaces from the value. |
Allow_duplicate_values |
allow_duplicate_values |
boolean |
true |
No |
Allows duplicate values. |
Default_keys |
default_keys |
array |
-- |
No |
Adds keys. |
Exclude_keys |
exclude_keys |
array |
-- |
No |
Excludes certain keys. |
Include_keys |
include_keys |
array |
-- |
No |
Includes certain keys. |
Prefix |
prefix |
string |
-- |
No |
Performs prefix matches. |
Recursive |
recursive |
boolean |
true |
No |
Performs Recursive parsing. |
Transform_key |
transform_key |
string |
-- |
No |
Transforms keys. |
Add_field |
add_field |
hash |
-- |
No |
Adds fields. |
add_tag |
add_tag |
array |
-- |
No |
Adds tags. |
Remove_field |
remove_field |
array |
-- |
No |
Removes fields. |
Remove_tag |
remove_tag |
array |
-- |
No |
Removes tags. |
Id |
id |
string |
-- |
No |
ID. |
Whitespace |
whitespace |
string |
strict/lenient |
No |
Allows whitespace characters. |
Remove_char_key |
remove_char_key |
string |
<>[](), |
No |
Removes characters from the key. |
Parsing Rule |
Logstash Settings |
Type |
Default Value |
Mandatory |
Description |
---|---|---|---|---|---|
Convert |
convert |
hash |
-- |
No |
Converts a field's value into a different type. |
Join |
join |
hash |
-- |
No |
Joins arrays. |
Lowercase |
lowercase |
array |
-- |
No |
Converts characters into its lowercase equivalent. |
Coerce |
coerce |
hash |
-- |
No |
Sets the default value of a field. |
Rename |
rename |
hash |
-- |
No |
Renames fields. |
Replace |
replace |
hash |
-- |
No |
Replaces the value of a field with a new value. |
Split |
split |
hash |
-- |
No |
Split a field to an array. |
Strip |
strip |
array |
-- |
No |
Strips spaces from fields. |
Update |
update |
hash |
-- |
No |
Updates fields. |
Uppercase |
uppercase |
array |
-- |
No |
Converts characters into its uppercase equivalent. |
Add_field |
add_field |
hash |
-- |
No |
Adds fields. |
Add_tag |
add_tag |
array |
-- |
No |
Adds tags. |
Remove_field |
remove_field |
array |
-- |
No |
Removes fields. |
Remove_tag |
remove_tag |
array |
-- |
No |
Removes tags. |
ID |
id |
string |
-- |
No |
Id |
Copy |
copy |
hash |
-- |
No |
Copies fields. |
Gsub |
gsub |
array |
-- |
No |
Replaces the gsub value. |
Parsing Rule |
Logstash Settings |
Type |
Default Value |
Mandatory |
Description |
---|---|---|---|---|---|
match |
match |
hash |
-- |
Yes |
Performs regex matches. |
Break_on_match |
break_on_match |
boolean |
true |
No |
Breaks on the first match. |
Overwrite |
overwrite |
array |
message |
No |
Overwrites fields. |
Add_field |
add_field |
hash |
-- |
No |
Adds fields. |
Add_tag |
add_tag |
array |
-- |
No |
Adds tags. |
Remove_field |
remove_field |
array |
-- |
No |
Removes fields. |
Remove_tag |
remove_tag |
array |
-- |
No |
Removes tags. |
Id |
id |
string |
-- |
No |
Id |
Parsing Rule |
Logstash Settings |
Type |
Default Value |
Mandatory |
Description |
---|---|---|---|---|---|
Match |
match |
array |
-- |
Yes |
Performs regex match. |
Target |
target |
string |
timestamp |
Yes |
Target fields. |
Add_field |
add_field |
hash |
-- |
No |
Adds fields. |
Add_tag |
add_tag |
array |
-- |
No |
Adds tags. |
Remove_field |
remove_field |
array |
-- |
No |
Removes fields. |
Remove_tag |
remove_tag |
array |
-- |
No |
Removes tags. |
Id |
id |
string |
test |
No |
Id |
Locale |
locale |
string |
-- |
No |
Locale |
Timezone |
Specifies the time zone. |
string |
+8:00 |
No |
Specifies the time zone. |
Parsing Rule |
Logstash Settings |
Type |
Default Value |
Mandatory |
Description |
---|---|---|---|---|---|
Blacklist_names |
blacklist_names |
array |
-- |
No |
Excludes fields whose names match specified regular expressions. |
Blacklist_values |
blacklist_values |
array |
-- |
No |
Excludes specified fields if their values match one of the supplied regular expressions. |
Whitelist_names |
whitelist_names |
array |
-- |
No |
Includes specified fields only if their names match specified regular expressions. |
Whitelist_values |
whitelist_values |
array |
-- |
No |
Includes specified fields only if their values match one of the supplied regular expressions. |
Parsing Rule |
Logstash Settings |
Type |
Default Value |
Mandatory |
Description |
---|---|---|---|---|---|
Source |
source |
string |
message |
No |
Defines the fields to be parsed. |
Columns |
columns |
array |
-- |
No |
Defines a list of column names. |
Separator |
separator |
string |
, |
No |
Defines the column separator value. |
Skip_empty_columns |
skip_empty_columns |
boolean |
true |
No |
Defines whether empty columns can be skipped. |
Parsing Rule |
Logstash Settings |
Type |
Default Value |
Mandatory |
Description |
---|---|---|---|---|---|
Filter_length |
filter_length |
number |
10 |
No |
Controls the field length. |
Set_time |
set_time |
ruby_time |
123 |
No |
Sets a time. |
Parsing Rule |
Logstash Settings |
Type |
Default Value |
Mandatory |
Description |
---|---|---|---|---|---|
Source |
source |
string |
message |
Yes |
Defines source fields. |
Skip_on_invalid_json |
skip_on_invalid_json |
boolean |
true |
No |
Skips invalid json fields. |
Add_field |
add_field |
hash |
null |
No |
Adds fields. |
Add_tag |
add_tag |
array |
null |
No |
Adds tags. |
Remove_field |
remove_field |
array |
null |
No |
Removes fields. |
Remove_tag |
remove_tag |
array |
null |
No |
Removes tags. |
Target |
target |
string |
message |
No |
Defines target fields. |
Parsing Rule |
Logstash Settings |
Type |
Default Value |
Mandatory |
Description |
---|---|---|---|---|---|
Field |
field |
string |
message |
Yes |
Defines fields to be splited. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot