需求：

       比如 path => /wls/applogs/rtlog/icore-pts2SF2433/icore-pts2SF2433.out

想提取icore-pts 与 icore-pts2SF2433/icore-pts2SF2433.out

第一种方法：用grok 处理

filter {
        grok {
                match => ["path","/wls/applogs/rtlog/(?<servername>[a-z][a-z-]*)(?<stag>[0-9]*)((?:SF)|(?:WII)|(?:DMZ)|(?:DRServer))(?:%{NUMBER})/%{USERNAME:apppath}"]
                add_field => {
                                "app_path" => "%{apppath}"
                                "app_name" => "%{servername}"
                                }
        }
}

第二种方法：用Ruby 处理

filter {
    ruby {
        code=>"
        event['app_path']=event['path'].dup.sub!(/\/wls\/applogs\/rtlog/,'')
        tmp=event['path'].dup.sub!(/\/wls\/applogs\/rtlog\//,'')
        event['app_name']=tmp.sub!(/\d.*/,'')
        "
    }
}

问题：

event['path'].sub!(/\/wls\/applogs\/rtlog/,'')
Exception in filterworker {"exception"=>#<RuntimeError: can't modify frozen string>, "backtrace"=>["org/jruby/RubyString.java:2785:in `sub!'", "(ruby filter code):2:in `register'", "org/jruby/RubyProc.java:271:in `call'", "/wls/logstash-1.4.2/lib/logstash/filters/ruby.rb:38:in `filter'", "(eval):26:in `initialize'", "org/jruby/RubyProc.java:271:in `call'", "/wls/logstash-1.4.2/lib/logstash/pipeline.rb:262:in `filter'", "/wls/logstash-1.4.2/lib/logstash/pipeline.rb:203:in `filterworker'", "/wls/logstash-1.4.2/lib/logstash/pipeline.rb:143:in `start_filters'"], :level=>:error}

原因：

ruby 不允许直接改对象，可以复制 or 克隆一下后再改（加dup）

event['path'].dup.sub!(/\/wls\/applogs\/rtlog\//,'')