如何在logstash的grok模式中使用IF ELSE条件
[英]How to use IF ELSE condition in grok pattern in logstash
问题描述
I have web and API log combined and I want to save it separately in elasticsearch.
我有 web 和 API 日志组合,我想将它单独保存在 elasticsearch 中。 So I want to write one pattern if the request is for API then if past should execute, the request is web then else part of the log should be executed.所以我想写一个模式,如果请求是针对 API 的,那么如果过去应该执行,请求是网络,那么应该执行日志的一部分。
Below are few web and API logs.以下是一些 Web 和 API 日志。
00:06:27,778 INFO [stdout] (ajp--0.0.0.0-8009-38) 00:06:27.777 [ajp--0.0.0.0-8009-38] INFO c.r.s.web.rest.WidgetController - Method getWidgetDetails() started to get widget details.
00:06:27,783 INFO [stdout] (ajp--0.0.0.0-8009-38) ---> HTTP GET http://api.survey.me/v1/getwidgetdetails?profileName=jeremy-steffens&profileLevel=INDIVIDUAL&companyProfileName=premier-nationwide-lending&hideHistory=true
00:06:27,817 INFO [stdout] (ajp--0.0.0.0-8009-38) <--- HTTP 200 http://api.survey.me/v1/getwidgetdetails?profileName=jeremy-steffens&profileLevel=INDIVIDUAL&companyProfileName=premier-nationwide-lending&hideHistory=true (29ms)
00:06:27,822 INFO [stdout] (ajp--0.0.0.0-8009-38) 00:06:27.822 [ajp--0.0.0.0-8009-38] INFO c.r.s.web.rest.WidgetController - Method getWidgetDetails() finished.
00:06:27,899 INFO [stdout] (ajp--0.0.0.0-8009-40) 00:06:27.899 [ajp--0.0.0.0-8009-40] INFO c.r.s.web.controller.LoginController - Inside initLoginPage() of LoginController
I tried to write condition but it's not working.我试图写条件,但它不起作用。 It's working only up to thread name.它仅适用于线程名称。 After thread I have multiple type log so not able to write witout if condition.在线程之后,我有多种类型的日志,因此无法在没有条件的情况下写入。
(?:%{TIME:CREATED_ON})(?:%{SPACE})%{WORD:LEVEL}%{SPACE}\[%{NOTSPACE}\]%{SPACE}\(%{NOTSPACE:THREAD}\)
Can anybody give me suggestion?有人可以给我建议吗?
1 个解决方案
解决方案1
4 已采纳 2019-01-16 12:59:48
You don't need to use an if/else conditon to do this, you can use multiple patterns, one will match the API log lines and the other will match the WEB log lines.您不需要使用if/else条件来执行此操作,您可以使用多个模式,一个将匹配 API 日志行,另一个将匹配 WEB 日志行。
For the API log lines you can use the following pattern:对于 API 日志行,您可以使用以下模式:
(?:%{TIME:CREATED_ON})(?:%{SPACE})%{WORD:LEVEL}%{SPACE}\\[%{NOTSPACE}\\]%{SPACE}\\(%{NOTSPACE:THREAD}\\)%{SPACE}(?:%{DATA})%{SPACE}\\[%{DATA}\\]%{SPACE}%{WORD}%{SPACE}%{GREEDYDATA:MSG}
And your return will be something like this:你的回报将是这样的:
{
"MSG": "c.r.s.web.controller.LoginController - Inside initLoginPage() of LoginController",
"CREATED_ON": "00:06:27,899",
"LEVEL": "INFO",
"THREAD": "ajp--0.0.0.0-8009-40"
}
For the web lines you can use the following pattern:对于网线,您可以使用以下模式:
(?:%{TIME:CREATED_ON})(?:%{SPACE})%{WORD:LEVEL}%{SPACE}\\[%{NOTSPACE}\\]%{SPACE}\\(%{NOTSPACE:THREAD}\\)%{SPACE}%{DATA}%{WORD:PROTOCOL}%{SPACE}%{WORD:MethodOrStatus}%{SPACE}%{GREEDYDATA:ENDPOINT}
And the result will be:结果将是:
{
"CREATED_ON": "00:06:27,783",
"PROTOCOL": "HTTP",
"ENDPOINT": "http://api.survey.me/v1/getwidgetdetails?profileName=jeremy-steffens&profileLevel=INDIVIDUAL&companyProfileName=premier-nationwide-lending&hideHistory=true",
"LEVEL": "INFO",
"THREAD": "ajp--0.0.0.0-8009-38",
"MethodOrStatus": "GET"
}
To use multiple patterns in grok just do this:要在 grok 中使用多个模式,只需执行以下操作:
grok {
match => ["message", "pattern1", "pattern2"]
}
Or you can save your patterns to a file and use patterns_dir to point to the directory of the file.或者您可以将您的模式保存到一个文件并使用patterns_dir指向文件的目录。
If you still want to use a conditional, just check for anything in the message, for example:如果您仍想使用条件,只需检查消息中的任何内容,例如:
if "HTTP" in [message] {
grok { your grok for the web messages }
} else {
grok { your grok for the api messages }
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.