本文介绍如何将一条日志分发到不同目标,其中每次输出的日志字段集合不同。
- 原始日志
__time__ : 1591754815 f1: GET f2: https f3: aliyun f4: 200 f5: standard
- 加工语法
e_set("tag", "target1, target2") e_split("tag") e_if(e_search("tag==target1"), e_compose(e_drop_fields("f1", "f2", regex=False), e_output("target1"))) e_drop_fields("f3", "f4", regex=False) e_output("target2")
- 输出日志
- 输出到目标target1
__time__ : 1591754815 f3: aliyun f4: 200 f5: standard
- 输出到目标target2
__time__ : 1591754815 f1: GET f2: https f5: standard
- 输出到目标target1
e_drop_fields("f1", "f2", regex=False)
e_coutput("target1")
e_drop_fields("f3", "f4", regex=False)
e_output("target2")