我正在尝试在导入应用程序日志时弄清楚如何与grok进行一些匹配。 但坦率地说,我相当失落,我将如何匹配以上,所以我可以搜索“MA_Number”并得到“123456789”作为弹性的结果
AppliedProperty_PurchaseStatus = (string) <SOLD> AppliedProperty_UrlText = (string) <http://www.dummyurl.com> MA_Number= (decimal) [123456789]I'm trying to figure out how to do some matching with grok while importing logs for applications. But to be frank I am fairly lost, how would i go about matching above so i can search for "MA_Number" and get "123456789" as the result in elastic
最满意答案
这个数字的正则表达式,假设每行使用grok逐个处理,将是:
MA_Number= \(decimal\) \[%{NUMBER}\]NUMBER是由grok定义的模式,以及许多可以帮助您的模式:
https://github.com/elastic/logstash/blob/v1.4.2/patterns/grok-patterns
关于你上面提供的消息(根本不符合你的grok(??))
这是你如何快速测试/部署这个:
我的测试配置:
input { stdin{} } filter { grok { match => ["message", "MA_Number= \(decimal\) \[%{NUMBER:num}\]" ] } } output { stdout { codec => rubydebug } }考试:
artur@pandaadb:~/dev/logstash$ ./logstash-2.3.2/bin/logstash -f conf3/ Settings: Default pipeline workers: 8 Pipeline main started MA_Number= (decimal) [123456789] { "message" => "MA_Number= (decimal) [123456789]", "@version" => "1", "@timestamp" => "2016-09-19T13:30:56.837Z", "host" => "pandaadb", "num" => "123456789" }查看如何将消息的数量提取到变量num中。
A regular Expression for that number, assuming there each line is processed one-by-one, with grok, would be:
MA_Number= \(decimal\) \[%{NUMBER}\]NUMBER is a pattern defined by grok, alongside a lot of patterns that can help you:
https://github.com/elastic/logstash/blob/v1.4.2/patterns/grok-patterns
With regards to the messages you provide above (which do not match your grok at all (??))
This is how you can quickly test this/deploy this:
My test config:
input { stdin{} } filter { grok { match => ["message", "MA_Number= \(decimal\) \[%{NUMBER:num}\]" ] } } output { stdout { codec => rubydebug } }The test:
artur@pandaadb:~/dev/logstash$ ./logstash-2.3.2/bin/logstash -f conf3/ Settings: Default pipeline workers: 8 Pipeline main started MA_Number= (decimal) [123456789] { "message" => "MA_Number= (decimal) [123456789]", "@version" => "1", "@timestamp" => "2016-09-19T13:30:56.837Z", "host" => "pandaadb", "num" => "123456789" }See how the number of the message has been extracted into the variable num.
Logstash自定义匹配(Logstash custom matching) AppliedProperty_PurchaseStatus = (string) <SOLD> AppliedProperty_UrlText = (string) <http://www.dummyurl.com> MA_Number= (decimal) [123456789]我正在尝试在导入应用程序日志时弄清楚如何与grok进行一些匹配。 但坦率地说,我相当失落,我将如何匹配以上,所以我可以搜索“MA_Number”并得到“123456789”作为弹性的结果
AppliedProperty_PurchaseStatus = (string) <SOLD> AppliedProperty_UrlText = (string) <http://www.dummyurl.com> MA_Number= (decimal) [123456789]I'm trying to figure out how to do some matching with grok while importing logs for applications. But to be frank I am fairly lost, how would i go about matching above so i can search for "MA_Number" and get "123456789" as the result in elastic
最满意答案
这个数字的正则表达式,假设每行使用grok逐个处理,将是:
MA_Number= \(decimal\) \[%{NUMBER}\]NUMBER是由grok定义的模式,以及许多可以帮助您的模式:
https://github.com/elastic/logstash/blob/v1.4.2/patterns/grok-patterns
关于你上面提供的消息(根本不符合你的grok(??))
这是你如何快速测试/部署这个:
我的测试配置:
input { stdin{} } filter { grok { match => ["message", "MA_Number= \(decimal\) \[%{NUMBER:num}\]" ] } } output { stdout { codec => rubydebug } }考试:
artur@pandaadb:~/dev/logstash$ ./logstash-2.3.2/bin/logstash -f conf3/ Settings: Default pipeline workers: 8 Pipeline main started MA_Number= (decimal) [123456789] { "message" => "MA_Number= (decimal) [123456789]", "@version" => "1", "@timestamp" => "2016-09-19T13:30:56.837Z", "host" => "pandaadb", "num" => "123456789" }查看如何将消息的数量提取到变量num中。
A regular Expression for that number, assuming there each line is processed one-by-one, with grok, would be:
MA_Number= \(decimal\) \[%{NUMBER}\]NUMBER is a pattern defined by grok, alongside a lot of patterns that can help you:
https://github.com/elastic/logstash/blob/v1.4.2/patterns/grok-patterns
With regards to the messages you provide above (which do not match your grok at all (??))
This is how you can quickly test this/deploy this:
My test config:
input { stdin{} } filter { grok { match => ["message", "MA_Number= \(decimal\) \[%{NUMBER:num}\]" ] } } output { stdout { codec => rubydebug } }The test:
artur@pandaadb:~/dev/logstash$ ./logstash-2.3.2/bin/logstash -f conf3/ Settings: Default pipeline workers: 8 Pipeline main started MA_Number= (decimal) [123456789] { "message" => "MA_Number= (decimal) [123456789]", "@version" => "1", "@timestamp" => "2016-09-19T13:30:56.837Z", "host" => "pandaadb", "num" => "123456789" }See how the number of the message has been extracted into the variable num.
发布评论