elasticsearch 或某一特定油田的测井条件,elasticsearch,logstash,logstash-grok,elasticsearch,Logstash,Logstash Grok" /> elasticsearch 或某一特定油田的测井条件,elasticsearch,logstash,logstash-grok,elasticsearch,Logstash,Logstash Grok" />
Fatal编程技术网
  • elasticsearch/
  • elasticsearch 或某一特定油田的测井条件

elasticsearch 或某一特定油田的测井条件

logstash

elasticsearch 或某一特定油田的测井条件,elasticsearch,logstash,logstash-grok,elasticsearch,Logstash,Logstash Grok,我有以下日志模式 2021-04-14T10:57:33+00:00 fihe3nok1789 info Wed Apr 14 10:57:31 2021 : Auth: (14539) Rejected in post-auth: [host/N-20HEPF0W4YKX.fw-intra.net] (from client ro1015w-ws-elm-a-1.ro.fw.com port 0 cli 44032CA08674) - wlan - proxy: 10.130.0.98 我试

我有以下日志模式

2021-04-14T10:57:33+00:00 fihe3nok1789 info Wed Apr 14 10:57:31 2021 : Auth: (14539) Rejected in post-auth: [host/N-20HEPF0W4YKX.fw-intra.net] (from client ro1015w-ws-elm-a-1.ro.fw.com port 0 cli 44032CA08674) - wlan - proxy: 10.130.0.98
我试着把上面的和下面的格洛克模式匹配起来

(%{TIMESTAMP_ISO8601:logdate}\s*%{DATA:radius_server}\s*info).*?host\/%{DATA:hostname}\..*?(client\s*%{GREEDYDATA:client}\s*).*?(port\s*%{NUMBER:port}\s*).*?(cli\s*%{MAC:mac_address}\s*|cli\s*%{WORD:mac_address}\s*)
但我的问题是,一切正常,直到

(cli\s*%{MAC:MAC\U地址}\s*|cli\s*%{WORD:MAC\U地址}\s*)

这是怪圈的一部分。当grok模式包含上述工件时,它不工作

有没有关于如何继续的想法?

以下模式适合您:

(%{TIMESTAMP_ISO8601:logdate}\s*%{DATA:radius_server}\s*info).*?host\/%{DATA:hostname}\..*?(client\s*%{GREEDYDATA:client}\s*).*?(port\s*%{NUMBER:port}\s*).*?(cli\s*%{MAC:mac_address}\s*|cli\s*%{WORD:mac_address}\s*)\) \- wlan \- proxy\: %{IPV4:proxyIp}
尝试在末尾添加
\)