[英]Custom GROK filter - Logstash -> Elasticsearch
我有一个被捕获并发送到logstash的日志,该日志的格式为
22304999 5 400.OUTPUT_SERVICE.510 submit The limit has been exceeded. Please use a different option. 2.54.44.221 /api/output/v3/contract/:PCID/order /api/output/v3/contract/:pcid/order https://www.example.org/output/ PUT 400 2017-09-28T15:50:57.843176Z
我正在尝试创建一个自定义的grok过滤器,以在将其发送到elasticsearch之前添加标头字段。
我的目标是这样的
SessionID => "22304999"
HitNumber => "5"
FactValue => "400.OUTPUT_SERVICE.510"
DimValue1 => "submit"
ErrMessage => "The limit has been exceeded. Please use a different option."
IP => "2.54.44.221"
TLT_URL => "/api/output/v3/contract/:PCID/order"
URL => "/api/output/v3/contract/:pcid/order"
Refferer => "https://www.example.org/output/"
Method => "PUT"
StatsCode => "400"
ReqTime => "2017-09-28T15:50:57.843176Z"
我对此并不陌生,因此只能尝试了解如何应用和测试它,例如,我将从一个空的过滤器开始,
filter {
grok {
match => { "message" => "" }
}
}
我的第一个问题是match => { "message" => "" }
是消息吗? 什么定义“消息”?
我的日志和我想要的字段之间用制表符分隔,每个制表符后都有一个新字段,这会使我试图实现的目标变得更容易,而不是寻找模式,我可以只寻找下一个制表符吗?
失败的话,有人可以为我的一个领域提供一个例子,我应该可以完成其余的工作。
正则表达式 : (?<SessionID>\\S+)\\s+(?<HitNumber>\\S+)\\s+(?<FactValue>\\S+)\\s+(?<DimValue1>\\S+)\\s+(?<ErrMessage>.+)\\s+(?<IP>(?:\\d{1,3}\\.){3}\\d{1,3})\\s+(?<TLT_URL>\\S+)\\s+(?<URL>\\S+)\\s+(?<Refferer>\\S+)\\s+(?<Method>\\S+)\\s+(?<StatsCode>\\S+)\\s+(?<ReqTime>\\S+)
详细资料 :
(?<>)
命名为捕获组 \\S
匹配任何非空白字符 \\d
匹配一个数字, {n,m}
匹配n
至m
次 +
无限次匹配 输出 :
{
"SessionID": [
[
"22304999"
]
],
"HitNumber": [
[
"5"
]
],
"FactValue": [
[
"400.OUTPUT_SERVICE.510"
]
],
"DimValue1": [
[
"submit"
]
],
"ErrMessage": [
[
"The limit has been exceeded. Please use a different option."
]
],
"IP": [
[
"2.54.44.221"
]
],
"TLT_URL": [
[
"/api/output/v3/contract/:PCID/order"
]
],
"URL": [
[
"/api/output/v3/contract/:pcid/order"
]
],
"Refferer": [
[
"https://www.example.org/output/"
]
],
"Method": [
[
"PUT"
]
],
"StatsCode": [
[
"400"
]
],
"ReqTime": [
[
"2017-09-28T15:50:57.843176Z"
]
]
}
如果要测试解决方案,则可以始终使用此站点:
我为您的问题制作了这个骗子模式:
%{INT:SessionID}\s*%{INT:HitNumber}\s*%{NOTSPACE:FaceValue}\s*%{GREEDYDATA:ErrMessage}\s*%{IP:IP}\s*%{NOTSPACE:TLT_URL}\s*%{NOTSPACE:URL}\s*%{NOTSPACE:Referer}\s*%{NOTSPACE:Method}\s*%{INT:StatsCode}\s*%{TIMESTAMP_ISO8601:ReqTime}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.