本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 常見的處理器使用案例
以下是合併處理器的常見案例和範例組態:
**Example 標準化日誌格式並新增中繼資料**
剖析 JSON 日誌、標準化欄位名稱,以及新增環境資訊:
```
processor:
- parse_json: {}
- rename_keys:
entries:
- from_key: "timestamp"
to_key: "@timestamp"
- from_key: "log_level"
to_key: "level"
- add_entries:
entries:
- key: "environment"
value: "production"
- key: "application"
value: "payment-service"
```
**Example 清除和標準化欄位值**
標準化狀態碼並移除敏感資料:
```
processor:
- uppercase_string:
with_keys: ["status", "method"]
- delete_entries:
with_keys: ["credit_card", "password"]
- substitute_string:
entries:
- source: "status"
from: "SUCCESS"
to: "OK"
```
**Example 擷取和轉換特定欄位**
擷取用於分析的使用者資訊和格式:
```
processor:
- extract_value:
entries:
- source: "user_agent"
target: "browser"
from: "(?Chrome|Firefox|Safari)"
to: "${browser}"
- lowercase_string:
with_keys: ["browser"]
- move_keys:
entries:
- from_key: "browser"
to_key: "user_data.browser"
```
**Example 具有入門級條件的條件式處理**
使用入門級`when`條件根據日誌嚴重性新增不同的中繼資料:
```
processor:
- add_entries:
entries:
- key: "alert_level"
value: "critical"
when: "log.level == 'ERROR'"
- key: "alert_level"
value: "info"
when_else: "log.level == 'ERROR'"
```
**Example 捨棄不需要的日誌項目**
從第三方來源篩選除錯和追蹤日誌項目,以減少雜訊和儲存成本:
```
processor:
- drop_events:
when: "log.level in {'DEBUG', 'TRACE'}"
handle_expression_failure: "skip"
```
**Example 具有 delete\$1entries 的處理器層級條件式**
僅在環境為生產環境時移除敏感欄位:
```
processor:
- delete_entries:
with_keys: ["password", "api_key", "ssn"]
when: "environment in {'prod', 'staging'}"
```