logstash grok - 如何进行条件模式匹配?
[英]logstash grok - how to do conditional pattern matching?
问题描述
I have these three log lines in the same log file: 
我在同一个日志文件中有这三个日志行:
INFO [2015-08-27 18:46:14,279] ({qtp243745864-44} NotebookServer.java[onMessage]:101) - RECEIVE << RUN_PARAGRAPH
INFO [2015-08-27 18:46:14,322] ({qtp243745864-44} NotebookServer.java[broadcast]:253) - SEND >> NOTE
INFO [2015-08-27 18:46:16,809] ({pool-1-thread-2} RemoteInterpreter.java[init]:144) - Create remote interpreter org.apache.zeppelin.markdown.Markdown
I want to pars them using grok but failing to get the right fields: 1) how to pars the data within the brackets? 我想使用grok解析它们但未能获得正确的字段:1)如何解析括号内的数据? 2) the last part of the log line is either (CMD direction cmd_data) or (cmd info) in the example: 2)日志行的最后一部分是示例中的(CMD方向cmd_data)或(cmd信息):
cmd=Receive or SEND
cmd_direction=<< or >>
cmd_data=RUN_PARAGRAPH or NOTE
But the last line is CMD info which does not correspond to the same format. 但最后一行是CMD信息,它不符合相同的格式。
I am trying to find the right rule that will match the first and second but not the third. 我试图找到匹配第一和第二但不是第三的正确规则。 end result should be or (cmd + cmd_data) or (cmd_info) fields Any help? 最终结果应该是or(cmd + cmd_data)还是(cmd_info)字段有什么帮助吗?
2 个解决方案
解决方案1
9 2015-09-03 13:18:36
Logstash has conditionals in the config file, so you can conditionally match things. Logstash在配置文件中有条件,因此您可以有条件地匹配事物。
For example: 例如:
if ([mesage] =~ /(RECEIVE|SEND)/) {
grok {
// do your grok here
}
} else if ([message] =~ /RemoteInterpreter/) {
grok {
// do some other grok here
}
}
If you need help with what those grok s should be, try using the grok debugger 如果您需要有关grok s应该是什么的帮助,请尝试使用grok调试器
解决方案2
0 2017-07-31 09:21:49
I had a similar problem ... 我有类似的问题......
It helped me: 它帮助了我:
if ("SEND" in [message]) {
grok {
// do your grok here
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.