在日誌文件中的行表示爲如下,神交{}濾波器來分割基於定界符逗號
"10 Sep 2014 07:16:33 , INFO , REST , xxx-xxxx-xxx1-yyyy , classname , [ <<MyClass>> Start -> mymessage #######]"
欲整個符合逗號分割作爲分隔符。
即)
Date = 10 Sep 2014 07:16:33
level = INFO
Layer = REST
Txid = xxx-xxxx-xxx1-yyyy
classname = classname
message = [ <<MyClass>> Start -> mymessage #######]
我應該怎麼寫我這個神交過濾器?
添加圖案
COMMA_DELIMITER %{SPACE},%{SPACE}
和過濾器如下:
filter {
grok {
patterns_dir => "/root/mypatterns"
match => ["message", "%{DATESTAMP:LOG_DATE}%{COMMA_DELIMITER}%{LOGLEVEL:LEVEL}%{COMMA_DELIMITER}%{WORD:LAYER}%{COMMA_DELIMITER}%{UUID:txid}%{COMMA_DELIMITER}%{WORD:classname}%{COMMA_DELIMITER}%{GREEDYDATA:filtered_message}"]
}
date {
match => ["LOG_DATE", "dd MMM yyyy HH:mm:ss"]
}
}
你見過CSV {}過濾器? –