elasticsearch （麋鹿）用于SBR会计日志的日志存储区

如何将字段映射到SBR记帐日志上的消息，其格式如下例所示

"Date","Time","RAS-Client","Record-Type","Full-Name","Auth-Type","User-Name","Framed-IP-Address","Calling-Station-ID","Called-Station-ID","Framed-Interface-Id","Delegated-IPv6-Prefix","NAS-Identifier","NAS-IP-Address","NAS-Port","NAS-Port-Type","NAS-Port-ID","Filter-ID","Acct-Termination-Cause","Acct-Session-Id","Acct-Session-Time","Acct-Status-Type","Acct-Delay-Time","Acct-Input-Octets","Acct-Output-Octets","Acct-Authentic","Acct-Input-Packets","Acct-Output-Packets","Acct-Multi-Session-Id","Acct-Input-Gigawords","Acct-Output-Gigawords","Event-Timestamp","Service-Type","Framed-Protocol","Connect-Info","Idle-Timeout","Session-Timeout","HW-Connect-ID","HW-Domain-Name"

有“xxx”和用逗号（，）分隔的空字段

比如说,

“2016年7月3日”、“17:00:00”、“abc”、“xyz”和

我的configuration.yml文件过滤器如下所示

filter {
  mutate {
    # replace all comma with space
    gsub => [ "message", ",", " " ]
  }
  grok {
    match => [ "message", "(%{DATE:date})? (%{TIME:time})? (%{WORD:bras})? (%{WORD:recordtype})? (%{WORD:fullname})? (%{WORD:authtype})? (%{WORD:username})? (%{IP:ipaddress})? (%{MAC:callingstationid})? (%{MAC:calledstationid})? %{GREEDYDATA:message}" ]
  }
}

但现在看起来好像不工作了

---

另外，我只是麋鹿队的初学者，很抱歉我的英语不好。

什么不太好？您可能需要查看以下内容：。另外，我不相信你的

gsub

，我只是将

，

集成到grok中pattern@maximede谢谢你的回答。这对我帮助很大。我已经使用了grokdebug，它可以很好地处理这段代码。”（“{DATE:DATE}”）？，（“{TIME:TIME}”）？，（“{DATA:rasclient}”）？，…”，但当我在.yml文件上使用它并使用logstash运行时，它将显示错误。我想这是因为“，”和“（）”或双引号。我想问你更多关于如何在文件中使用它的问题。我见过一些url使用“\”来解决这个问题，但我不确定。你能给我举个例子吗。非常感谢你的帮助。