logstash / grok 模式文件
[英]logstash / grok pattern file
问题描述
I am parsing IIS logs, and I have everything working when all patterns are in the config file.
我正在解析 IIS 日志,当所有模式都在配置文件中时,我一切正常。
I want to take out all the patterns and put them in a pattern file, but cannot seem to get it to work.我想取出所有模式并将它们放入模式文件中,但似乎无法使其正常工作。
What I have: Log example:我有什么: 日志示例:
2015-09-08 16:02:23 GET /l8Wc2pt1FMvzsCEJ/test/restapiname 2015-09-08 16:02:23 GET /l8Wc2pt1FMvzsCEJ/test/restapiname
2015-09-08 16:02:24 GET /l8Wc2pt1FMvzsCEJ/test/ifSoap/soapapiname grok which works: 2015-09-08 16:02:24 GET /l8Wc2pt1FMvzsCEJ/test/ifSoap/soapapiname grok 有效:
match => { "message" => [
"%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:method} \/%{WORD:orgid}\/(?i)test\/%{GREEDYDATA:restapiname}",
"%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:method} \/%{WORD:orgid}\/(?i)test\/(?i)ifsoap\/%{GREEDYDATA:soapapiname}"
This works.这有效。 But I have way too many combinations of this url, and want to take the full thing and put it in a file, so I only have to maintain 1 file.但是我这个 url 的组合太多了,想把完整的东西放到一个文件中,所以我只需要维护 1 个文件。
This does not seem to work这似乎不起作用
patterns file:模式文件:
IISLOGS %{TIMESTAMP_ISO8601:log_timestamp} %{WORD:method} \/%{WORD:orgid}\/(?i)test\/%{GREEDYDATA:restapiname}
IISLOGS %{TIMESTAMP_ISO8601:log_timestamp} %{WORD:method} \/%{WORD:orgid}\/(?i)test\/(?i)ifsoap\/%{GREEDYDATA:soapapiname}"
GROK file: GROK 文件:
grok {
patterns_dir => "C:/LogProject/LogStash/patterns"
match => [ "message", "IISLOGS" ]
}
Any suggestions?有什么建议?
1 个解决方案
解决方案1
1 已采纳 2015-09-30 08:30:11
I personally would recommend to stay with the patterns inside the logstash configuration.我个人建议继续使用 logstash 配置中的模式。 An extra patterns file is annoying and harder to maintain in my opinion.在我看来,额外的模式文件很烦人,而且更难维护。 However, if you want to use the patterns file for some reason, here is a possible way:但是,如果您出于某种原因想使用模式文件,这里有一种可能的方法:
The problem is that you have two different definitions for IISLOGS inside your grok patterns file.问题是您的IISLOGS模式文件中有两个不同的IISLOGS定义。 You can split the different path formats into multiple patterns and do a logical or inside your IISLOGS definition with (?:%{IISPATH1}|%{IISPATH2}) .您可以将不同的路径格式拆分为多个模式,并使用(?:%{IISPATH1}|%{IISPATH2})在IISLOGS定义中执行逻辑或内部操作。
Patterns file:模式文件:
IISPATH1 \/%{WORD:orgid}\/(?i)test\/(?i)ifsoap\/%{GREEDYDATA:soapapiname}
IISPATH2 \/%{WORD:orgid}\/(?i)test\/%{GREEDYDATA:restapiname}
IISLOGS %{TIMESTAMP_ISO8601:log_timestamp} %{WORD:method} (?:%{IISPATH1}|%{IISPATH2})
This works in grok debugger for your given examples.这适用于您给定的示例的 grok 调试器。 First results in restapiname: restapiname and second in soapapiname: soapapiname .第一个结果是restapiname: restapiname ,第二个结果是soapapiname: soapapiname 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.