Logstash从grok过滤器添加字段
[英]Logstash Add field from grok filter
问题描述
Is it possible to match a message to a new field in logstash using grok and mutate? 
是否可以使用grok和mutate将消息匹配到logstash中的新字段?
Example log: 日志示例:
"<30>Dec 19 11:37:56 7f87c507df2a[20103]: [INFO] 2018-12-19 16:37:56 _internal (MainThread): 192.168.0.6 - - [19/Dec/2018 16:37:56] \"\u001b[37mGET / HTTP/1.1\u001b[0m\" 200 -\r"
I am trying to create a new key value where I match container_id to 7f87c507df2a. 我试图创建一个新的键值,将container_id匹配到7f87c507df2a。
filter {
grok {
match => [ "message", "%{SYSLOG5424PRI}%{NONNEGINT:ver} +(?:%{TIMESTAMP_ISO8601:ts}|-) +(?:%{HOSTNAME:service}|-) +(?:%{NOTSPACE:containerName}|-) +(?:%{NOTSPACE:proc}|-) +(?:%{WORD:msgid}|-) +(?:%{SYSLOG5424SD:sd}|-|) +%{GREEDYDATA:msg}" ]
}
mutate {
add_field => { "container_id" => "%{containerName}"}
}
}
The resulting logfile renders this, where the value of containerName isn't being referenced from grok, it is just a string literal: 生成的日志文件呈现了这一点,其中grok并未引用containerName的值,它只是一个字符串文字:
"container_id": "%{containerName}"
I am trying to have the conf create: 我正在尝试创建conf:
"container_id": "7f87c507df2a"
Obviously the value of containerName isn't being linked from grok. 显然,containerName的值不是从grok链接的。 Is what I want to do even possible? 我想做的事甚至有可能吗?
1 个解决方案
解决方案1
2 已采纳 2018-12-19 17:56:33
As explained in the comments, my grok pattern was incorrect. 如评论中所述,我的骗子模式不正确。 For anyone that may wander towards this post that needs help with grok go here to make building your pattern less time consuming. 对于任何可能需要这篇博客帮助的人,请前往此处,以减少构建模式的时间。
Here was the working snapshot: 这是工作快照:
filter {
grok {
match => [ "message", "\A%{SYSLOG5424PRI}%{SYSLOGTIMESTAMP}%{SPACE}%{BASE16NUM:docker_id}%{SYSLOG5424SD}%{GREEDYDATA:python_log_message}" ]
add_field => { "container_id" => "%{docker_id}" }
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.