如何在grok(logstash)中将模式“ a = bc = d”与顺序更改进行匹配?
[英]How to match a pattern of “a=b c=d” with changing order in grok (logstash)?
问题描述
I'm using Logstash to match Fortinet analyzer logs, and the problem is there are so many pattern without order of the fields. 
我正在使用Logstash来匹配Fortinet分析器日志,问题是没有字段顺序的模式太多。
eg one type of message would be: 例如,一种消息类型是:
service=DNS hostname="abnet" profile="Dns" action=blocked reqtype=direct url="/" sentbyte=0 rcvdbyte=0 direction=N/A msg="URL belongs to a denied category in policy" method=domain cat=61 catdesc="Phishing" crscore=60 crlevel=high
...and another is: ...另一个是:
msg="File is infected." action=blocked service=HTTP sessionid=33137 direction=incoming filename="favicon.ico" quarskip=No-skip virus="MSWord/Agent.DD60!tr" dtype="Virus" ref="http://www.fortinet.com/ve?vn=MSWord%2FAgent.DD60%21tr" virusid=6920465 profile="AV"
As you can see both have msg , action , service and profile but with different order. 如您所见,它们都有msg , action , service和profile但是顺序不同。
Is there anyway to build a pattern to match something like: 无论如何,有没有建立一个模式来匹配类似的东西:
(.*?)=%{DATA:\1?}\s
...while giving the field the name of the first match? ...同时为字段指定第一个匹配项的名称?
1 个解决方案
解决方案1
3 已采纳 2015-11-03 17:58:33
使用kv {}过滤器可以将其全部拆分,而不关心顺序。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.