Release Notes and Announcements
- Release Notes
- Announcements
User Guide
Product Introduction
- Overview
- Features
- Available Regions
- Limits
- Concepts
- Service Regions and Service Providers
Purchase Guide
- Billing Overview
- Product Pricing
- Pay-as-You-Go
- Billing
- Cleaning up CLS resources
- Cost Optimization
- FAQs
Getting Started
Operation Guide
- Resource Management
- Permission Management
- Log Collection
- Metric Collection
- Log Storage
- Metric Storage
- Search and Analysis (Log Topic)
- Search and Analysis (Metric Topic)
- Dashboard
- Data Processing documents
- Shipping and Consumption
- Monitoring Alarm
- Cloud Insight
- Independent DataSight console
- Historical Documentation
Practical Tutorial
- Log Collection
- Search and Analysis
- Dashboard
- Monitoring Alarm
- Shipping and Consumption
- Cost Optimization
Developer Guide
- Embedding CLS Console
- CLS Connection to Grafana
API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Topic Management APIs
- Log Set Management APIs
- Index APIs
- Topic Partition APIs
- Machine Group APIs
- Collection Configuration APIs
- Log APIs
- Metric APIs
- Alarm Policy APIs
- Data Processing APIs
- Kafka Protocol Consumption APIs
- CKafka Shipping Task APIs
- Kafka Data Subscription APIs
- COS Shipping Task APIs
- SCF Delivery Task APIs
- Scheduled SQL Analysis APIs
- COS Data Import Task APIs
- Data Types
- Error Codes
FAQs
- Health Check
- Collection
- Log Search
- Others
CLS Service Level Agreement
CLS Policy
- Privacy Policy
- Data Processing And Security Agreement
Contact Us
Glossary

Logstash Statement Reference Table

Focus Mode

Font Size

Last updated: 2025-12-03 18:30:47

Some Logstash statements correspond to functions in data processing as shown in the table below.
Scenario
Logstash
﻿
Data Processing
rename field
mutate
mutate {
 rename => {"old_field_name" => "new_field_name"
} } 
﻿fields_rename("old_field_name","new_field_name" )
Delete Field
﻿
mutate { 
remove_field => ["password_hash"]
 }
﻿fields_drop("password_hash")
update field value
﻿
mutate { 
update => {"status_code" => "Not Found" 
status_code":"Not Found
﻿fields_set("status_code", "Not Found")
extract key-value pairs - Grok
grok
grok {    
match => {   "message" => "%{TIMESTAMP_ISO8601:time} %{LOGLEVEL:level} "  }} 
﻿ext_grok("message",grok="%{TIMESTAMP_ISO8601:time} %{DATA:level}")
extract key-value pairs - Separator
split
 mutate {   
 split => {      "message" => "|"    }    
add_field => {   
   "time" => "%{[message][0]}"   
   "level" => "%{[message][1]}"    
  "taskId" => "%{[message][2]}"   
   "ProcessName" => "%{[message][3]}"   
   "ip" => "%{[message][4]}"    
}   
 remove_field => ["message"] 
 }
﻿ext_sepstr("message","time,loglevel,taskId,ProcessName,ip",sep="\\|")
fields_drop("message")
extract key-value pairs - JSON
json
json {    
source => "message"   
 target => "parsed_data" 
 }
﻿ext_json("message")
Delete log
drop
  if [status] == 404 {    //if status=404
 Delete log
 }
﻿log_drop(delete log
﻿op_eq(v("status"),404)// if the value of status=404
)
Logical judgment
if else
if [log] //if the log field exists
if "Cost" in [message] //when the message field contains "Cost"
﻿t_if(has_field("log")) //if the log field exists
t_if (
﻿str_exist(v(message), "Cost", ignore_upper=True)
if "Cost" in [message] //when the message field contains "Cost"
﻿
or , and
if "Cost" in [message] or "cost" in [message] 
﻿op_or(
﻿str_exist(v(message), "Cost", ignore_upper=False),
str_exist(v(message), "cost", ignore_upper=False)
)
Distribute logs to multiple sinks (target)
output
﻿
if [container] == "scm-pfc" {
    elasticsearch {
       hosts => ["xx.xx.x.xxx:9200"]
        index => "p-k8s"
    }
﻿
 } else {
    elasticsearch {
       hosts => ["xx.xx.x.xx:9200"]
       index => "p-container"
   }}
﻿t_if_else(
op_str_eq(v("container"),"scm-pfc"),
﻿log_output("p-k8s"),  //if branch
log_output("p-container")  //else branch
)
﻿

Help and Support

Was this page helpful?

You can also Contact sales or Submit a Ticket for help.

Help us improve! Rate your documentation experience in 5 mins.

Feedback

tencent cloud

Cloud Log Service

Logstash Statement Reference Table

Help and Support

Scenario	Logstash			Data Processing
rename field	mutate	mutate { rename => {"old_field_name" => "new_field_name" } }	fields_rename("old_field_name","new_field_name" )
Delete Field			mutate { remove_field => ["password_hash"] }	fields_drop("password_hash")
update field value			mutate { update => {"status_code" => "Not Found" status_code":"Not Found	fields_set("status_code", "Not Found")
extract key-value pairs - Grok	grok	grok { match => { "message" => "%{TIMESTAMP_ISO8601:time} %{LOGLEVEL:level} " }}	ext_grok("message",grok="%{TIMESTAMP_ISO8601:time} %{DATA:level}")
extract key-value pairs - Separator	split	mutate { split => { "message" => "\|" } add_field => { "time" => "%{[message][0]}" "level" => "%{[message][1]}" "taskId" => "%{[message][2]}" "ProcessName" => "%{[message][3]}" "ip" => "%{[message][4]}" } remove_field => ["message"] }	ext_sepstr("message","time,loglevel,taskId,ProcessName,ip",sep="\\\|") fields_drop("message")
extract key-value pairs - JSON	json	json { source => "message" target => "parsed_data" }	ext_json("message")
Delete log	drop	if [status] == 404 { //if status=404 Delete log }	log_drop(delete log op_eq(v("status"),404)// if the value of status=404 )
Logical judgment	if else	if [log] //if the log field exists if "Cost" in [message] //when the message field contains "Cost"	t_if(has_field("log")) //if the log field exists t_if ( str_exist(v(message), "Cost", ignore_upper=True) if "Cost" in [message] //when the message field contains "Cost"
Logical judgment		or , and	if "Cost" in [message] or "cost" in [message]	op_or( str_exist(v(message), "Cost", ignore_upper=False), str_exist(v(message), "cost", ignore_upper=False) )
Distribute logs to multiple sinks (target)	output	if [container] == "scm-pfc" { elasticsearch { hosts => ["xx.xx.x.xxx:9200"] index => "p-k8s" } } else { elasticsearch { hosts => ["xx.xx.x.xx:9200"] index => "p-container" }}	t_if_else( op_str_eq(v("container"),"scm-pfc"), log_output("p-k8s"), //if branch log_output("p-container") //else branch )