grok 添加字段

filter {
    grok {
        match =>[ 
             "message","%{IPORHOST:clientip} [%{HTTPDATE:time}] "%{WORD:verb} %{URIPATHPARAM:request}?.* HTTP/%{NUMBER:httpversion}" - %{NUMBER:http_status_code} %{NUMBER:bytes} "(?

<http_referer>S+)" "(?<http_user_agent>(S+s+)*S+)" (%{BASE16FLOAT:request_time}) (%{IPORHOST:http_x_forwarded_for}|-)", 
             "message" , "%{IPORHOST:clientip} [%{HTTPDATE:time}] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" - %{NUMBER:http_status_code} %{NUMBER:bytes} "(?

<http_referer>S+)" "(?<http_user_agent>(S+s+)*S+)" (%{BASE16FLOAT:request_time}) (%{IPORHOST:http_x_forwarded_for}|-)"
             
        ]
    }   
        geoip {
                        source => "http_x_forwarded_for"
                        target => "geoip"
                        database => "/usr/local/logstash-2.3.4/etc/GeoLiteCity.dat"
                        add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
                        add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
                }
                mutate {
                        convert => [ "[geoip][coordinates]", "float"]
                }
     
}



/*******************

zjtest7-frontend:/usr/local/logstash-2.3.4/config# cat geoip.conf
input {stdin {} }

filter {
  geoip {
   source =>"message"
 }
} 


output {
      stdout {
               codec => rubydebug{}
                } 
}


zjtest7-frontend:/usr/local/logstash-2.3.4/config# ../bin/logstash -f geoip.conf
Settings: Default pipeline workers: 1
Pipeline main started
202.101.172.35
{
       "message" => "202.101.172.35",
      "@version" => "1",
    "@timestamp" => "2016-09-11T02:54:11.116Z",
          "host" => "0.0.0.0",
         "geoip" => {
                    "ip" => "202.101.172.35",
         "country_code2" => "CN",
         "country_code3" => "CHN",
          "country_name" => "China",
        "continent_code" => "AS",
              "latitude" => 35.0,
             "longitude" => 105.0,
              "location" => [
            [0] 105.0,
            [1] 35.0
        ]
    }
}


/*******************添加字段
zjtest7-frontend:/usr/local/logstash-2.3.4/config# cat geoip.conf
input {stdin {} }

filter {
  geoip {
   source =>"message"
  add_field => [ "[geoip][scantest]", "%{[geoip][location][0]}" ]
 }
} 


output {
      stdout {
               codec => rubydebug{}
                } 
}

zjtest7-frontend:/usr/local/logstash-2.3.4/config# ../bin/logstash -f geoip.conf
Settings: Default pipeline workers: 1
Pipeline main started
202.101.172.35
{
       "message" => "202.101.172.35",
      "@version" => "1",
    "@timestamp" => "2016-09-11T02:57:07.832Z",
          "host" => "0.0.0.0",
         "geoip" => {
                    "ip" => "202.101.172.35",
         "country_code2" => "CN",
         "country_code3" => "CHN",
          "country_name" => "China",
        "continent_code" => "AS",
              "latitude" => 35.0,
             "longitude" => 105.0,
              "location" => [
            [0] 105.0,
            [1] 35.0
        ],
              "scantest" => 105.0
    }
}

相关阅读:
P2515 [HAOI2010]软件安装
 P2502 [HAOI2006]旅行最小生成树
 Luogu P2511 [HAOI2008]木棍分割二分+DP
P2303 [SDOI2012]Longge的问题我傻QwQ
P1129 [ZJOI2007]矩阵游戏二分图匹配
 BZOJ3211花神游历各国
 [HNOI2011]XOR和路径
 NOIP考前划水
 [IOI2018]组合动作
 [NOIP2017]逛公园
原文地址：https://www.cnblogs.com/zhaoyangjian724/p/6199228.html