1. 首頁
  2. 問答
  3. 將幾個grok合併爲一個

將幾個grok合併爲一個

2017-05-14 54 views
1

我有如下所示的日誌條目和grok模式。將幾個grok合併爲一個

登錄:

2017-04-11 18:31:41,938 | INFO | 195 | Process | Bundle Name | logStr: GUID: dl99X/WeN77E2SmyjH9uS1Fy+EDvFQ5R_939bae | ReferenceID: 20170411183141500676 | InstanceID: 70411183141906430422429270016 | ChannelID: EXAMPLE | System: EXAMPLE | ServiceName: EXAMPLE | InvocationPoint: inbound 

2017-04-11 18:31:42,743 | INFO | 193 | API | Bundle Name | Outbound Message | RESPONSE=[GUID=[dl99X/WeN77E2SmyjH9uS1Fy+EDvFQ5R_939bae], InstanceID=[70411183141906430422429270016], logStr=[GUID: dl99X/WeN77E2SmyjH9uS1Fy+EDvFQ5R_939bae | ReferenceID: 20170411183141500676 | InstanceID: 70411183141906430422429270016 | ChannelID: EXAMPLE | System: EXAMPLE | ServiceName: EXAMPLE | InvocationPoint: inbound

神交模式:

grok { 
#grok general pattern 
match => { 
"message" => "%{TIMESTAMP_ISO8601:logdate}%{SPACE}\|%{SPACE}%{LOGLEVEL:level}%{SPACE}\|%{SPACE}%{DATA:thread}%{SPACE}\|%{SPACE}%{DATA:serviceName}%{SPACE}\|%{SPACE}%{DATA:bundle}%{SPACE}\|%{SPACE}%{GREEDYDATA:logdetails}" 
} 
} 
#Grok to get GUID 
grok { 
match => { 
"logdetails" => "(?<=GUID:).%{DATA:guid}(?=\s)" 
} 
} 
#Grok to get ChannelID 
grok { 
match => { 
"logdetails" => "(?<=ChannelID:).%{DATA:channelID}(?=\s)" 
} 
} 
#Grok to get ReferenceID 
grok { 
match => { 
"logdetails" => "(?<=ReferenceID:).%{DATA:referenceID}(?=\s)" 
} 
}

我有幾個獨立的神交只得到了GUID,的channelID和ReferenceID。 有什麼方法可以將groks合併爲一個?

預先感謝您!

來源

2017-05-14 cooling

回答

0

這是最好知道你的類型正在處理的日誌的,但什麼時候有太多類型的擔心(但他們仍然以相同的格式)我會做:

  1. 確定基本格式
  2. 將base後的所有內容視爲「msg」或有效內容。
  3. 用您正在查找的字段解析負載。

郵件的每個人都有的timestamp | loglevel | thread基本格式:

LINE %{BASE}\s?\|\s?%{GREEDYDATA:msg} 

# Patterns 
BASE %{CUSTTIME:timestamp}\s?\|\s?%{WORD:loglevel}\s?\|\s?%{NONNEGINT:thread} 
CUSTTIME %{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND},%{MILLI} 
MILLI (?:([1-9][0-9]{0,2}|0))

然後,你可以添加對你在同一個圖形文件的尋找等領域的模式,因爲所有的值是非常相似的鍵=值,而是用冒號:

COMMAVALUE (\s?(.*?(?=\s\w+:|$))\s?) 

# Fields 
GUID GUID:%{COMMAVALUE:guid} 
CHANNELID ChannelID:%{COMMAVALUE:channel_id} 
REFERENCEID ReferenceID:%{COMMAVALUE:reference_id}

所以,你可以使用兩個相鄰的神交過濾器要做到這一點,一個提取msg有效載荷,另一個提取SA領域id味精。

filter { 
    grok { 
     patterns_dir => "/etc/logstash/patterns" 
     match => { "message" => "%{LINE}" } 
    } 
    grok { 
     patterns_dir => "/etc/logstash/patterns" 
     break_on_match => false 
     match => [ 
      "msg", "%{GUID}", 
      "msg", "%{CHANNELID}", 
      "msg", "%{REFERENCEID}" 
     ] 
    } 
} 

output { 
    stdout { codec => "rubydebug" } 
}

來源

2017-05-15 05:35:43 Signus

相關問題

 相關問題