如何在 Logstash 中将一个事件的字段引用到另一个事件？

我目前正在处理日志，其中一些内容如下所示：

00:19:59.771 (07120/evtThread     ) TRC> Cem< [Core1] CALL_STATE... 
00:20:00.199 (05768/BCMApplicationThread) INF> 
#S#|Call stats, ongoing calls: 8, handled_calls: 7304
#S#+----------------------------+----------+----------+----------+----------+----------+
#S#|Peer                        |      From|        To|   MinTime|   MaxTime|   AvgTime|
#S#+----------------------------+----------+----------+----------+----------+----------+
#S#|        CallDispatcher:Core2|         0|         0|         0|         0|         0|
#S#|        CallDispatcher:Core3|         0|         0|         0|         0|         0|
#S#|                   Cem:Core1|      1632|      6207|         0|   5996522|    311685|

我像这样解析了包含时间的行：

grok {
    match => [ "message", "%{TIME:time} (?<bcm_comp>\(\d{5}\/\w{4,}\:*\ *\w*\)) (?<loglevel>\w{3}>{1}) %{GREEDYDATA:message}" ]
    overwrite => [ "message" ]
    add_field => [ "BCM_System", "PROD" ]
}

前面包含#S#的行是这样解析的。忽略包含 -------- 的行以及包含表标题和呼叫统计行的行。

grok {
    match => [ "message", "(?<start>\#\S\#\|)\s* (?<peer>\w*\:\w*)(?<div2>\|)\s* %{NUMBER:From}(?<div3>\|)\s* %{NUMBER:To}(?<div4>\|)\s* %{NUMBER:MinTime}(?<div5>\|)\s* %{NUMBER:MaxTime}(?<div6>\|)\s* %{NUMBER:AvgTime}(?<div7>\|)" ]        
    remove_field => [ "start", "div2", "div3", "div4", "div5", "div6", "div7" ]
    overwrite => [ "message"]       
    add_field => [ "reference_time", "%{@time}"]
}

我想做的是从上一行中获取时间并将其添加为我摸索 #s# 行的字段。我尝试使用 Logstash 中的 add_field 语法，如图所示，但它不起作用......它只是字面上打印出％{@time}。

有什么方法可以以某种方式从前一行中提取该时间并将其放入另一个事件的字段中吗？

据我所知，你必须编写一个过滤器插件才能执行类似的操作。这是我组合在一起做类似事情的一个简单插件 - 当它看到一个字段时它会记住它，然后使用它看到的最后一个值（如果它不存在）。

# encoding: utf-8
require "logstash/filters/base"
require "logstash/namespace"
require "set"
#
# This filter will look for a field from an event and record the last value
# of it.  If it's not present, it will add the last value to the event
#
# The config looks like this:
#
#     filter {
#       memorize {
#         field => "time"
#         default => "00:00:00.000"
#       }
#     }
#
# The `field` is the name of the field that you want to memorize
# The `default` is the value to use for the field if you haven't seen it yet
#   in the file (this is optional)

class LogStash::Filters::Memorize < LogStash::Filters::Base

  config_name "memorize"
  milestone 1

  # The field to memorize
  config :field, :validate => :string, :required => true
  # the default value to use for the field if it's not seen before we need it
  config :default, :validate => :string, :required => false

  # The stream identity is how the multiline filter determines which stream an
  # event belongs to. See the multiline plugin if you want more details on how
  # this might work
  config :stream_identity , :validate => :string, :default => "%{host}.%{path}.%{type}"

  public
  def initialize(config = {})
    super

    @threadsafe = false

    # This filter needs to keep state.
    @memorized = Hash.new
  end # def initialize

  public
  def register
    # nothing needed
  end # def register

  public
  def filter(event)
    return unless filter?(event)

    if event[@field].nil?
      val = @memorized[@stream_identity]
      if val.nil?
        val = @default
      end
      event[@field] = val
      filter_matched(event)
    else
      @memorized[@stream_identity] = event[@field]
    end
  end
end