zjtest7-frontend:/usr/local/logstash-2.3.4/config# cat stdin04.conf
input {
stdin {
}
}
filter {
# drop sleep events
grok {
match => { "message" => "SELECT aaa" }
add_tag => [ "sleep_aaa" ]
tag_on_failure => [] # prevent default _grokparsefailure tag on real records
}
grok {
match => { "message" => "SELECT bbb" }
add_tag => [ "sleep_bbb" ]
tag_on_failure => [] # prevent default _grokparsefailure tag on real records
}
}
output {
if "sleep_aaa" in [tags]{
stdout {
codec=>rubydebug{}
}
}
else if "sleep_bbb" in [tags]{
stdout {
codec=>json
}
}
}
[elk@zjtest7-frontend config]$ ../bin/logstash -f stdin04.conf
Settings: Default pipeline workers: 1
Pipeline main started
SELECT aaa
{
"message" => "SELECT aaa",
"@version" => "1",
"@timestamp" => "2016-09-15T04:44:53.052Z",
"host" => "0.0.0.0",
"tags" => [
[0] "sleep_aaa"
]
}
SELECT bbb
{"message":"SELECT bbb","@version":"1","@timestamp":"2016-09-15T04:45:02.555Z","host":"0.0.0.0","tags":["sleep_bbb"]}