常见处理器使用案例
以下是用于组合处理器的常见场景和示例配置:
例标准化日志格式并添加元数据
解析 JSON 日志、标准化字段名称并添加环境信息:
processor: - parse_json: {} - rename_keys: entries: - from_key: "timestamp" to_key: "@timestamp" - from_key: "log_level" to_key: "level" - add_entries: entries: - key: "environment" value: "production" - key: "application" value: "payment-service"
例清理字段值并进行标准化处理
对状态代码进行标准化处理并移除敏感数据:
processor: - uppercase_string: with_keys: ["status", "method"] - delete_entries: with_keys: ["credit_card", "password"] - substitute_string: entries: - source: "status" from: "SUCCESS" to: "OK"
例提取并转换特定字段
提取用户信息和格式以进行分析:
processor: - extract_value: entries: - source: "user_agent" target: "browser" from: "(?<browser>Chrome|Firefox|Safari)" to: "${browser}" - lowercase_string: with_keys: ["browser"] - move_keys: entries: - from_key: "browser" to_key: "user_data.browser"
例使用条目级条件进行条件处理
使用条目级 when 条件,根据日志严重性添加不同的元数据:
processor: - add_entries: entries: - key: "alert_level" value: "critical" when: "log.level == 'ERROR'" - key: "alert_level" value: "info" when_else: "log.level == 'ERROR'"
例删除不需要的日志条目
筛选掉来自第三方来源的调试和跟踪日志条目,以降低噪音和存储成本:
processor: - drop_events: when: "log.level in {'DEBUG', 'TRACE'}" handle_expression_failure: "skip"
例带有 delete_entris 的处理器级条件
仅在环境为生产环境时才删除敏感字段:
processor: - delete_entries: with_keys: ["password", "api_key", "ssn"] when: "environment in {'prod', 'staging'}"
