如何匹配几种可能的日志事件格式?
how to match several possible log events formats?
我有来自一个日志源的事件,它可以有多种已知格式。举个例子
10:45 Today is Monday
11:13 The weather is nice
12:00 The weather is cloudy
我可以match他们每个人通过
The weather is %{WORD:weather}
Today is %{WORD:weekday}
我还不适应 logstash 的格式 filter。为了考虑到每一种可能性,我应该构建类似
的东西吗?
if message =~ "The weather is"
{
grok {
"match" => "The weather is %{WORD:weather}"
}
}
if message =~ "Today is"
{
grok {
"match" => "Today is %{WORD:weekday}"
}
}
或者有更紧凑的东西吗? (例如,具有关联映射的事件的可能模式列表)
我找到了一个解决方案:枚举模式:
filter {
grok {
match => { "message" => [ "hello %{WORD:who}", "the weather is %{WORD:weather}" ] }
}
}
我有来自一个日志源的事件,它可以有多种已知格式。举个例子
10:45 Today is Monday
11:13 The weather is nice
12:00 The weather is cloudy
我可以match他们每个人通过
The weather is %{WORD:weather}
Today is %{WORD:weekday}
我还不适应 logstash 的格式 filter。为了考虑到每一种可能性,我应该构建类似
if message =~ "The weather is"
{
grok {
"match" => "The weather is %{WORD:weather}"
}
}
if message =~ "Today is"
{
grok {
"match" => "Today is %{WORD:weekday}"
}
}
或者有更紧凑的东西吗? (例如,具有关联映射的事件的可能模式列表)
我找到了一个解决方案:枚举模式:
filter {
grok {
match => { "message" => [ "hello %{WORD:who}", "the weather is %{WORD:weather}" ] }
}
}