- elasticsearch/
elasticsearch 分层数据匹配与显示
elasticsearch 分层数据匹配与显示
在我的日志文件中,我有表示项目层次结构的数据,很像http日志文件可能显示网站的层次结构 我可能有这样的数据
41 2016-01-01 01:41:32-500 show:category:all
41 2016-01-01 04:11:20-500 show:category:animals
42 2016-01-02 01:41:32-500 show:item:wallaby
42 2016-01-02 01:41:32-500 show:home
%{TIMESTAMP_ISO8601:ts}(?([^\r])*)mutatesplitlvl1:lvl2:lvl3['lvl1'、'lvl2'、'lvl3']info[0]info[0]info[1]级别的深度各不相同,但我可以非常肯定的是,最大级别是5,因此我可以将文本解析为不同的字段
lvl1lvl2lvl3lvl4lvl5- 根据您提供的信息,使用%{NUMBER:terminal}%{TIMESTAMP_ISO8601:ts}和(?([^\r])*)*{过滤数据}
- 变异
- 滤器
- 现在,您可以通过提及add_field=>[“fieldname”,“%{[arrayname][0]}”将字段添加为级别1
- 现在您可以通过提及add_field=>[“fieldname”,“%{[arrayname][1]}”来添加一个字段作为级别2
- 现在您可以通过提及add_field=>[“fieldname”,“%{[arrayname][2]}”来添加一个字段作为级别3
input {
file {
path => "C:/Temp/zipped/*.txt"
start_position => beginning
ignore_older => 0
sincedb_path => "C:/temp/logstash_temp2.sincedb"
}
}
filter {
grok {
match => ["message","^%{NOTSPACE}\[%{NUMBER:terminal_id}\] %{NUMBER:log_level} %{NUMBER} %{TIMESTAMP_ISO8601:ts} \[(?<facility>([^\]]*))\] (?<lvl>([^$|\r])*)"]
}
mutate {
split => ["lvl", ":"]
add_field => {"lvl_1" => "%{lvl[0]}"}
add_field => {"lvl_2" => "%{lvl[1]}"}
add_field => {"lvl_3" => "%{lvl[2]}"}
add_field => {"lvl_4" => "%{lvl[3]}"}
add_field => {"lvl_5" => "%{lvl[4]}"}
add_field => {"lvl_6" => "%{lvl[5]}"}
add_field => {"lvl_7" => "%{lvl[6]}"}
add_field => {"lvl_8" => "%{lvl[7]}"}
lowercase => [ "terminal_id" ] # set to lowercase so that it can be used for index - additional filtering may be required
}
date {
match => ["ts", "YYYY-MM-DD HH:mm:ssZZ"]
}
}
filter {
if [lvl_1] =~ /%\{lvl\[0\]\}/ {mutate {remove_field => [ "lvl_1" ]}}
if [lvl_2] =~ /%\{lvl\[1\]\}/ {mutate {remove_field => [ "lvl_2" ]}}
if [lvl_3] =~ /%\{lvl\[2\]\}/ {mutate {remove_field => [ "lvl_3" ]}}
if [lvl_4] =~ /%\{lvl\[3\]\}/ {mutate {remove_field => [ "lvl_4" ]}}
if [lvl_5] =~ /%\{lvl\[4\]\}/ {mutate {remove_field => [ "lvl_5" ]}}
if [lvl_6] =~ /%\{lvl\[5\]\}/ {mutate {remove_field => [ "lvl_6" ]}}
if [lvl_7] =~ /%\{lvl\[6\]\}/ {mutate {remove_field => [ "lvl_7" ]}}
if [lvl_8] =~ /%\{lvl\[7\]\}/ {mutate {remove_field => [ "lvl_8" ]}}
mutate{
remove_field => [ "lvl","host","ts" ] # do not keep this data
}
}
output {
if [facility] == "mydata" {
elasticsearch {
hosts => ["localhost:9200"]
index => "logstash-mydata-%{terminal_id}-%{+YYYY.MM.DD}"
}
} else {
elasticsearch {
hosts => ["localhost:9200"]
index => "logstash-other-%{terminal_id}-%{+YYYY.MM.DD}"
}
}
# stdout { codec => rubydebug }
}
输入{
文件{
路径=>“C:/Temp/zipped/*.txt”
开始位置=>开始位置
忽略\u older=>0
sincedb_path=>“C:/temp/logstash_temp2.sincedb”
}
}
滤器{
格罗克{
match=>[“message”,“^%{NOTSPACE}\[%{NUMBER:terminal\u id}\]%{NUMBER:log\u level}%{NUMBER}%{TIMESTAMP\u ISO8601:ts}\[(?([^\]]*)\](?([^$\r])*)”]
}
变异{
拆分=>[“lvl”,“:”]
add_field=>{“lvl_1”=>“%{lvl[0]}”}
add_field=>{“lvl_2”=>“%{lvl[1]}”}
add_field=>{“lvl_3”=>“%{lvl[2]}”}
add_field=>{“lvl_4”=>“%{lvl[3]}”
add_field=>{“lvl_5”=>“%{lvl[4]}”}
add_field=>{“lvl_6”=>“%{lvl[5]}”}
add_field=>{“lvl_7”=>“%{lvl[6]}”}
add_field=>{“lvl_8”=>“%{lvl[7]}”}
lowercase=>[“terminal_id”]#设置为小写以便可用于索引-可能需要额外的筛选
}
日期{
匹配=>[“ts”,“YYYY-MM-DD HH:MM:ssZZ”]
}
}
滤器{
如果[lvl\U 1]=~/%\{lvl\[0\]\}/{mutate{remove\U field=>[“lvl\U 1”]}
如果[lvl\U 2]=~/%\{lvl\[1\]\}/{mutate{remove\U field=>[“lvl\U 2”]}
如果[lvl\U 3]=~/%\{lvl\[2\]\}/{mutate{remove\U field=>[“lvl\U 3”]}
如果[lvl\U 4]=~/%\{lvl\[3\]\}/{mutate{remove\U field=>[“lvl\U 4”]}
如果[lvl\U 5]=~/%\{lvl\[4\]\}/{mutate{remove\U field=>[“lvl\U 5”]}
如果[lvl\U 6]=~/%\{lvl\[5\]\}/{mutate{remove\U field=>[“lvl\U 6”]}
如果[lvl\U 7]=~/%\{lvl\[6\]\}/{mutate{remove\U field=>[“lvl\U 7”]}
如果[lvl\U 8]=~/%\{lvl\[7\]\}/{mutate{remove\U field=>[“lvl\U 8”]}
变异{
删除字段=>[“lvl”、“主机”、“ts”]#不保留此数据
}
}
输出{
如果[设施]=“我的数据”{
弹性搜索{
hosts=>[“localhost:9200”]
index=>“logstash mydata-%{terminal_id}-%{+YYYY.MM.DD}”
}
}否则{
弹性搜索{
hosts=>[“localhost:9200”]
index=>“logstash other-%{terminal_id}-%{+YYYY.MM.DD}”
}
}
#stdout{codec=>rubydebug}
}
if[info\u 1]=~/%\{info\[0\]\}/{mutate{remove\u field=>[“info\u 1”]}