Urldecode 过滤器插件

编辑
  • 插件版本: v3.0.6
  • 发布日期: 2017-11-07
  • 变更日志

其他版本请参见 版本化插件文档

获取帮助

编辑

如有关于插件的问题,请在 Discuss 论坛中发帖。如发现错误或有功能请求,请在 Github 中提交问题。有关 Elastic 支持的插件列表,请查阅 Elastic 支持矩阵

描述

编辑

urldecode 过滤器用于解码经过 url 编码的字段。

Urldecode 过滤器配置选项

编辑

此插件支持以下配置选项以及稍后描述的 通用选项

设置 输入类型 必需

all_fields

布尔值

charset

字符串,以下之一 ["ASCII-8BIT", "UTF-8", "US-ASCII", "Big5", "Big5-HKSCS", "Big5-UAO", "CP949", "Emacs-Mule", "EUC-JP", "EUC-KR", "EUC-TW", "GB2312", "GB18030", "GBK", "ISO-8859-1", "ISO-8859-2", "ISO-8859-3", "ISO-8859-4", "ISO-8859-5", "ISO-8859-6", "ISO-8859-7", "ISO-8859-8", "ISO-8859-9", "ISO-8859-10", "ISO-8859-11", "ISO-8859-13", "ISO-8859-14", "ISO-8859-15", "ISO-8859-16", "KOI8-R", "KOI8-U", "Shift_JIS", "UTF-16BE", "UTF-16LE", "UTF-32BE", "UTF-32LE", "Windows-31J", "Windows-1250", "Windows-1251", "Windows-1252", "IBM437", "IBM737", "IBM775", "CP850", "IBM852", "CP852", "IBM855", "CP855", "IBM857", "IBM860", "IBM861", "IBM862", "IBM863", "IBM864", "IBM865", "IBM866", "IBM869", "Windows-1258", "GB1988", "macCentEuro", "macCroatian", "macCyrillic", "macGreek", "macIceland", "macRoman", "macRomania", "macThai", "macTurkish", "macUkraine", "CP950", "CP951", "IBM037", "stateless-ISO-2022-JP", "eucJP-ms", "CP51932", "EUC-JIS-2004", "GB12345", "ISO-2022-JP", "ISO-2022-JP-2", "CP50220", "CP50221", "Windows-1256", "Windows-1253", "Windows-1255", "Windows-1254", "TIS-620", "Windows-874", "Windows-1257", "MacJapanese", "UTF-7", "UTF8-MAC", "UTF-16", "UTF-32", "UTF8-DoCoMo", "SJIS-DoCoMo", "UTF8-KDDI", "SJIS-KDDI", "ISO-2022-JP-KDDI", "stateless-ISO-2022-JP-KDDI", "UTF8-SoftBank", "SJIS-SoftBank", "BINARY", "CP437", "CP737", "CP775", "IBM850", "CP857", "CP860", "CP861", "CP862", "CP863", "CP864", "CP865", "CP866", "CP869", "CP1258", "Big5-HKSCS:2008", "ebcdic-cp-us", "eucJP", "euc-jp-ms", "EUC-JISX0213", "eucKR", "eucTW", "EUC-CN", "eucCN", "CP936", "ISO2022-JP", "ISO2022-JP2", "ISO8859-1", "ISO8859-2", "ISO8859-3", "ISO8859-4", "ISO8859-5", "ISO8859-6", "CP1256", "ISO8859-7", "CP1253", "ISO8859-8", "CP1255", "ISO8859-9", "CP1254", "ISO8859-10", "ISO8859-11", "CP874", "ISO8859-13", "CP1257", "ISO8859-14", "ISO8859-15", "ISO8859-16", "CP878", "MacJapan", "ASCII", "ANSI_X3.4-1968", "646", "CP65000", "CP65001", "UTF-8-MAC", "UTF-8-HFS", "UCS-2BE", "UCS-4BE", "UCS-4LE", "CP932", "csWindows31J", "SJIS", "PCK", "CP1250", "CP1251", "CP1252", "external", "locale"]

field

字符串

tag_on_failure

数组

另请参见 通用选项,了解所有过滤器插件支持的选项列表。

 

all_fields

编辑

对所有字段进行 url 解码

charset

编辑
  • 值可以是以下之一:ASCII-8BITUTF-8US-ASCIIBig5Big5-HKSCSBig5-UAOCP949Emacs-MuleEUC-JPEUC-KREUC-TWGB2312GB18030GBKISO-8859-1ISO-8859-2ISO-8859-3ISO-8859-4ISO-8859-5ISO-8859-6ISO-8859-7ISO-8859-8ISO-8859-9ISO-8859-10ISO-8859-11ISO-8859-13ISO-8859-14ISO-8859-15ISO-8859-16KOI8-RKOI8-UShift_JISUTF-16BEUTF-16LEUTF-32BEUTF-32LEWindows-31JWindows-1250Windows-1251Windows-1252IBM437IBM737IBM775CP850IBM852CP852IBM855CP855IBM857IBM860IBM861IBM862IBM863IBM864IBM865IBM866IBM869Windows-1258GB1988macCentEuromacCroatianmacCyrillicmacGreekmacIcelandmacRomanmacRomaniamacThaimacTurkishmacUkraineCP950CP951IBM037stateless-ISO-2022-JPeucJP-msCP51932EUC-JIS-2004GB12345ISO-2022-JPISO-2022-JP-2CP50220CP50221Windows-1256Windows-1253Windows-1255Windows-1254TIS-620Windows-874Windows-1257MacJapaneseUTF-7UTF8-MACUTF-16UTF-32UTF8-DoCoMoSJIS-DoCoMoUTF8-KDDISJIS-KDDIISO-2022-JP-KDDIstateless-ISO-2022-JP-KDDIUTF8-SoftBankSJIS-SoftBankBINARYCP437CP737CP775IBM850CP857CP860CP861CP862CP863CP864CP865CP866CP869CP1258Big5-HKSCS:2008ebcdic-cp-useucJPeuc-jp-msEUC-JISX0213eucKReucTWEUC-CNeucCNCP936ISO2022-JPISO2022-JP2ISO8859-1ISO8859-2ISO8859-3ISO8859-4ISO8859-5ISO8859-6CP1256ISO8859-7CP1253ISO8859-8CP1255ISO8859-9CP1254ISO8859-10ISO8859-11CP874ISO8859-13CP1257ISO8859-14ISO8859-15ISO8859-16CP878MacJapanASCIIANSI_X3.4-1968646CP65000CP65001UTF-8-MACUTF-8-HFSUCS-2BEUCS-4BEUCS-4LECP932csWindows31JSJISPCKCP1250CP1251CP1252externallocale
  • 默认值为 "UTF-8"

此过滤器中使用的字符编码。例如 UTF-8cp1252

如果您的 url 解码字符串为 Latin-1(即 cp1252)或其他非 UTF-8 字符集,则此设置很有用。

field

编辑
  • 值类型为 字符串
  • 默认值为 "message"

进行 url 解码的字段的值

tag_on_failure

编辑
  • 值类型为 数组
  • 默认值为 ["_urldecodefailure"]

在抛出异常时将值追加到 tags 字段

通用选项

编辑

所有过滤器插件都支持这些配置选项

add_field

编辑

如果此过滤器成功,则将任意字段添加到此事件。字段名称可以是动态的,并使用 %{field} 包含事件的一部分。

示例

    filter {
      urldecode {
        add_field => { "foo_%{somefield}" => "Hello world, from %{host}" }
      }
    }
    # You can also add multiple fields at once:
    filter {
      urldecode {
        add_field => {
          "foo_%{somefield}" => "Hello world, from %{host}"
          "new_field" => "new_static_value"
        }
      }
    }

如果事件具有字段 "somefield" == "hello",则此过滤器在成功时将添加字段 foo_hello(如果存在),其值为上述值,并且 %{host} 部分将替换为事件中的该值。第二个示例还将添加一个硬编码字段。

add_tag

编辑
  • 值类型为 数组
  • 默认值为 []

如果此过滤器成功,则将任意标签添加到事件。标签可以是动态的,并使用 %{field} 语法包含事件的一部分。

示例

    filter {
      urldecode {
        add_tag => [ "foo_%{somefield}" ]
      }
    }
    # You can also add multiple tags at once:
    filter {
      urldecode {
        add_tag => [ "foo_%{somefield}", "taggedy_tag"]
      }
    }

如果事件具有字段 "somefield" == "hello",则此过滤器在成功时将添加标签 foo_hello(当然,第二个示例将添加 taggedy_tag 标签)。

enable_metric

编辑

禁用或启用此特定插件实例的指标日志记录。默认情况下,我们会记录所有可以记录的指标,但您可以禁用特定插件的指标收集。

  • 值类型为 字符串
  • 此设置没有默认值。

向插件配置添加唯一的 ID。如果未指定 ID,Logstash 将生成一个。强烈建议在配置中设置此 ID。当您有两个或多个相同类型的插件时,这尤其有用,例如,如果您有两个 urldecode 过滤器。在这种情况下,添加命名 ID 将有助于使用监控 API 监控 Logstash。

    filter {
      urldecode {
        id => "ABC"
      }
    }

id 字段中的变量替换仅支持环境变量,不支持使用密钥存储中的值。

periodic_flush

编辑

以定期间隔调用过滤器刷新方法。可选。

remove_field

编辑
  • 值类型为 数组
  • 默认值为 []

如果此过滤器成功,则从此事件中删除任意字段。字段名称可以是动态的,并使用 %{field} 示例包含事件的一部分

    filter {
      urldecode {
        remove_field => [ "foo_%{somefield}" ]
      }
    }
    # You can also remove multiple fields at once:
    filter {
      urldecode {
        remove_field => [ "foo_%{somefield}", "my_extraneous_field" ]
      }
    }

如果事件包含字段 "somefield" == "hello",则此过滤器成功后,会移除名为 foo_hello 的字段(如果存在)。第二个示例将移除一个额外的、非动态字段。

remove_tag

编辑
  • 值类型为 数组
  • 默认值为 []

如果此过滤器成功,则会从事件中移除任意标签。标签可以是动态的,并使用 %{field} 语法包含事件的部分内容。

示例

    filter {
      urldecode {
        remove_tag => [ "foo_%{somefield}" ]
      }
    }
    # You can also remove multiple tags at once:
    filter {
      urldecode {
        remove_tag => [ "foo_%{somefield}", "sad_unwanted_tag"]
      }
    }

如果事件包含字段 "somefield" == "hello",则此过滤器成功后,会移除标签 foo_hello(如果存在)。第二个示例也将移除一个令人悲伤的、不需要的标签。