忽略神交日誌的端部

Question

我是新與神交和logstash我有與空間這樣

1477879888.908 728 486704579 TCP_REFRESH_UNMODIFIED/304 254 GET http://security.ubuntu.com/ubuntu/dists/precise-security/main/i18n/Index - HIER_DIRECT/91.189.88.162 - 

我只是想填料我的日誌，只有這部分，而忽略其他分隔的日誌文件部分

1477879888.908 728 486704579 TCP_REFRESH_UNMODIFIED/304 254 GET http://security.ubuntu.com/ubuntu/dists/precise-security/main/i18n/Index 

忽略其他部分（我只想7個空格分隔數據和其他數據ignoree

Answer 1

您可以使用此神交模式。

%{BASE10NUM:number1}%{SPACE}%{INT:number2}%{SPACE}%{INT:number3}%{SPACE}%{WORD:msg}/%{INT:number4}%{SPACE}%{INT:number5}%{SPACE}%{WORD:protocol}%{SPACE}%{URI:action} 

輸入

1477879888.908 728 486704579 TCP_REFRESH_UNMODIFIED/304 254 GET http://security.ubuntu.com/ubuntu/dists/precise-security/main/i18n/Index - HIER_DIRECT/91.189.88.162 - 

輸出

number1  477879888.908 
number2  728 
port  
number5  254 
number4  304 
msg   TCP_REFRESH_UNMODIFIED 
action  http://security.ubuntu.com/ubuntu/dists/precise-security/main/i18n/Index 
protocol GET 
number3  486704579 

然後可以合併msg和number4獲得一個新的領域tcpMsg。最後刪除msg,number4和port。

mutate { 
    add_field => { 
    "tcpMsg" => "%{msg}/%{number4}" 
    } 
    remove_field => ["msg", "number4","port"] 
} 

希望這會有所幫助。