使用logstash中的grok在匹配位置后提取子字符串
[英]Extracting a substring after a match position using grok in logstash
问题描述
Objective : I have a log file from where I want to extract the amount details after the string Amount::: in the below given log file. 
目标:我有一个日志文件,我希望在下面给出的日志文件中的字符串Amount :::之后提取金额详细信息。
What I have Done so far: Since it is a Custom Parsing, I have created a custom pattern using RegEx and I am trying to Implement it using logstash. 到目前为止我做了什么:由于它是自定义分析,我使用RegEx创建了一个自定义模式,我正在尝试使用logstash实现它。
here is my log file - 这是我的日志文件 -
28-04-2017 14:45:50 INFO abcinfo (ABC_TxnLog_ServiceImpl.java295) - Amount::: 3000.00
28-04-2017 12:45:50 INFO abcinfo (ABC_TxnLog_ServiceImpl.java295) - Amount::: 31000.00
28-04-2017 14:15:50 INFO abcinfo (ABC_TxnLog_ServiceImpl.java295) - Amount::: 10000.00
28-04-2017 11:45:50 INFO abcinfo (ABC_TxnLog_ServiceImpl.java295) - Amount::: 9000.00
28-04-2017 08:15:50 INFO abcinfo (ABC_TxnLog_ServiceImpl.java295) - Amount::: 7000.00
I have used Regex to find the string Amount::: 我用Regex找到字符串Amount :::
Note : I want to extract the sub string which is coming after the string Amount::: 注意:我想提取字符串Amount :::之后的子字符串
here are my Custom Patterns I have used in Grok: 这是我在Grok中使用的自定义模式:
(but it doesn't yield good results) (但它不会产生好的结果)
CUSTOM_AMOUNT (?<= - Amount::: ).*
CUSTOM_AMOUNT (?<=Amount::: )%{BASE16FLOAT}
here is my logstacsh.conf - 这是我的logstacsh.conf -
input {
file {
path => "D:\elk\data\amnt_parse.txt"
type => "customgrok"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter{
if[type]== "customgrok" {
if "_grokparsefailure" in [tags] {
grok {
patterns_dir => "D:\elk\logstash-5.2.1\vendor\bundle\jruby\1.9\gems\logstash-patterns-core-4.0.2\patterns\custom"
match => { "message" => "%{CUSTOM_AMOUNT:amount" }
add_field => { "subType" => "Amount" }
}
}
}
mutate {
gsub => ['message', "\t", " "]
} } }
output {
stdout {
codec => "rubydebug"
}
elasticsearch {
index => "amnt_parsing_change"
hosts =>"localhost"
}
}
Our intension is to Visualize and to perform aggregation operations based on the extracted substring using Kibana and Elasticsearch. 我们的意图是使用Kibana和Elasticsearch基于提取的子字符串可视化和执行聚合操作。
but it stores the log file into the variable "message" . 但它将日志文件存储到变量"message" 。 as you can see here, match => { "message" => "%{CUSTOM_AMOUNT:amount" } . 正如你在这里看到的, match => { "message" => "%{CUSTOM_AMOUNT:amount" } 。
here is how the line is stored inside "message" , when I tried to view it in Kibana - 这是当我试图在Kibana中查看时,行如何存储在"message"中 -
"message": "28-04-2017 11:45:50 INFO abcinfo (ABC_TxnLog_ServiceImpl.java295) - Amount::: 9000.00\r",
"message": "28-04-2017 12:45:50 INFO abcinfo (ABC_TxnLog_ServiceImpl.java295) - Amount::: 31000.00\r",
"message": "28-04-2017 11:45:50 INFO abcinfo (ABC_TxnLog_ServiceImpl.java295) - Amount::: 9000.00\r",
Logstash file is loading the Data(log file) and Index is also getting created but Custom Pattern isn't giving expected result. Logstash文件正在加载数据(日志文件),并且也会创建索引,但Custom Pattern未提供预期结果。 what are possibilities to extract the sub string which I have mentioned above ? 有什么可能提取我上面提到的子字符串? or do we have any alternatives? 或者我们有其他选择吗?
1 个解决方案
解决方案1
0 2017-05-03 09:50:41
Here is what you have to do : 这是你要做的:
filter {
grok {
match => {
"message" => "%{DATESTAMP:Date} %{WORD:LogSeverity}\s+%{WORD:LogInfo} \(%{NOTSPACE:JavaClass}\) \- Amount::: %{NUMBER:Amount}"
}
}
mutate
{
gsub =>
[
"Data"," ","-"
]
#If you dont want those fields
remove_field => ["Date","LogSeverity","LogInfo","JavaClass"]
}
}
I recommend you to read the documentations : 我建议你阅读文件:
Grok Documentation Grok Patterns Grok文档 Grok模式
You can use the following debugger : 您可以使用以下调试器:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.