- elasticsearch/
elasticsearch 如何为该日志编写grok模式?
elasticsearch 如何为该日志编写grok模式?
日志:
[2021-01-27T11:51:18838][INFO][logstash.setting.writabledirectory]创建目录{:setting=>“path.dead\u letter\u queue”,:path=>“C:\\Pippo\\logstash-7.6.1\\data\\dead\u letter\u queue”}/code>我建议您使用对此类用例非常有用的在线工具。
这是第一个与数据行的必输部分匹配的grok表达式:
\[%{TIMESTAMP_ISO8601:timestamp}\]\[%{LOGLEVEL:level} \]\[%{GREEDYDATA:class}\] %{GREEDYDATA:action} \{:setting=>"%{GREEDYDATA:setting}", :path=>"%{PATH:path}"\}
这个表达式是您用例的起点。此grok表达式的结果如下:
{
"timestamp": [
[
"2021-01-27T11:51:18,838"
]
],
"YEAR": [
[
"2021"
]
],
"MONTHNUM": [
[
"01"
]
],
"MONTHDAY": [
[
"27"
]
],
"HOUR": [
[
"11",
null
]
],
"MINUTE": [
[
"51",
null
]
],
"SECOND": [
[
"18,838"
]
],
"ISO8601_TIMEZONE": [
[
null
]
],
"level": [
[
"INFO"
]
],
"class": [
[
"logstash.setting.writabledirectory"
]
],
"action": [
[
"Creating directory"
]
],
"setting": [
[
"path.dead_letter_queue"
]
],
"path": [
[
"C:\\Pippo\\logstash-7.6.1\\data\\dead_letter_queue"
]
],
"UNIXPATH": [
[
null
]
],
"WINPATH": [
[
"C:\\Pippo\\logstash-7.6.1\\data\\dead_letter_queue"
]
]
}
我不知道如何使用grok调试它是如何工作的?@ylr没有结果跟随链接,将数据行放在顶部,然后将表达式粘贴到下面。结果显示在底部。答案是没有匹配项,为什么?谢谢帮助匹配“某物”,您还没有解释要从该数据行提取什么,因此我不确定是否仅此。我要提取数据行中的所有内容。都在方括号内。提前谢谢@YLR