logstash grok 解析 url
logstash grok parse url
我一直在网上搜索,但不太明白。
grok {
match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{URIPATH:url}
}
我需要从 url 中获取内容并将其放入弹性搜索中。
日志有 url 个这样的
URL 1 =
/NEED_A/Constant_A/Constant_B/Constant_C/Need_B/Constant_D/Need_C/Need_D
URL 2 =
/NEED_A/Constant_A/Constant_B/Constant_C/Need_B/Constant_D
URL 3 =
/Wierd_A
Need_A、NEED_B、NEED_C、Need_D、Wierd_A 应该放在各自的字段中。
我一直在尝试寻找一个 if else-if 循环,但还没有真正找到任何东西。
grok {
match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} {URIPATH:url} %]
}
if[url] == "/*/Constant_A/Constant_B/Constant_C/*/Constant_D/*/*" {
\/%{WORD:NEED_A}\/.*\/.*\/.*\/%{WORD:NEED_B}\/.*\/%{WORD:NEED_C}
}
else-if[url] == "/*/Constant_A/Constant_B/Constant_C/*/Constant_D" {
\/%{WORD:NEED_A}\/.*\/.*\/.*\/%{WORD:NEED_B}\/.*\/
}
else-if
//something similar for url 3
}
//move on if nothing matches
有什么想法吗?
logstash 不是循环类型系统。
如果你想 运行 多个模式来对付你的输入,只需 list them:
grok {
match => {
"message" => [
"%{PATTERN1}",
"%{PATTERN2}"
]
]
}
我一直在网上搜索,但不太明白。
grok {
match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{URIPATH:url}
}
我需要从 url 中获取内容并将其放入弹性搜索中。
日志有 url 个这样的
URL 1 = /NEED_A/Constant_A/Constant_B/Constant_C/Need_B/Constant_D/Need_C/Need_D
URL 2 = /NEED_A/Constant_A/Constant_B/Constant_C/Need_B/Constant_D
URL 3 = /Wierd_A
Need_A、NEED_B、NEED_C、Need_D、Wierd_A 应该放在各自的字段中。
我一直在尝试寻找一个 if else-if 循环,但还没有真正找到任何东西。
grok {
match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} {URIPATH:url} %]
}
if[url] == "/*/Constant_A/Constant_B/Constant_C/*/Constant_D/*/*" {
\/%{WORD:NEED_A}\/.*\/.*\/.*\/%{WORD:NEED_B}\/.*\/%{WORD:NEED_C}
}
else-if[url] == "/*/Constant_A/Constant_B/Constant_C/*/Constant_D" {
\/%{WORD:NEED_A}\/.*\/.*\/.*\/%{WORD:NEED_B}\/.*\/
}
else-if
//something similar for url 3
}
//move on if nothing matches
有什么想法吗?
logstash 不是循环类型系统。
如果你想 运行 多个模式来对付你的输入,只需 list them:
grok {
match => {
"message" => [
"%{PATTERN1}",
"%{PATTERN2}"
]
]
}