据我所知，您必须编写一个过滤器插件才能执行此类操作.这是我放在一起做的一个简单的插件，它可以执行类似的操作-看到它会记住一个字段，然后使用它看到的最后一个值(如果不存在).

You'd have to write a filter plugin to do something like this as far as I know. Here's a simple plugin I threw together to do something like that -- it memorizes a field when it sees it and then uses the last value it saw if it's not present.

# encoding: utf-8
require "logstash/filters/base"
require "logstash/namespace"
require "set"
#
# This filter will look for a field from an event and record the last value
# of it.  If it's not present, it will add the last value to the event
#
# The config looks like this:
#
#     filter {
#       memorize {
#         field => "time"
#         default => "00:00:00.000"
#       }
#     }
#
# The `field` is the name of the field that you want to memorize
# The `default` is the value to use for the field if you haven't seen it yet
#   in the file (this is optional)

class LogStash::Filters::Memorize < LogStash::Filters::Base

  config_name "memorize"
  milestone 1

  # The field to memorize
  config :field, :validate => :string, :required => true
  # the default value to use for the field if it's not seen before we need it
  config :default, :validate => :string, :required => false

  # The stream identity is how the multiline filter determines which stream an
  # event belongs to. See the multiline plugin if you want more details on how
  # this might work
  config :stream_identity , :validate => :string, :default => "%{host}.%{path}.%{type}"

  public
  def initialize(config = {})
    super

    @threadsafe = false

    # This filter needs to keep state.
    @memorized = Hash.new
  end # def initialize

  public
  def register
    # nothing needed
  end # def register

  public
  def filter(event)
    return unless filter?(event)

    if event[@field].nil?
      val = @memorized[@stream_identity]
      if val.nil?
        val = @default
      end
      event[@field] = val
      filter_matched(event)
    else
      @memorized[@stream_identity] = event[@field]
    end
  end
end