Warning: file_get_contents(/data/phpspider/zhask/data//catemap/2/joomla/2.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Logstash AWS ELB用格罗克过滤器_Logstash_Logstash Grok - Fatal编程技术网
Fatal编程技术网
  • logstash/
  • Logstash AWS ELB用格罗克过滤器

Logstash AWS ELB用格罗克过滤器

logstash

Logstash AWS ELB用格罗克过滤器,logstash,logstash-grok,Logstash,Logstash Grok,我在Logstash中有以下过滤器,用于解析AWS ELB访问日志: filter { grok { match => [ "message", '%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} (?:%{IP:backend_ip}:%{NUMBER:backend_port:int}|-) %{NUMBER:request_pr

我在Logstash中有以下过滤器,用于解析AWS ELB访问日志:

filter {
  grok {
    match => [ "message", '%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} (?:%{IP:backend_ip}:%{NUMBER:backend_port:int}|-) %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} (?:%{NUMBER:elb_status_code:int}|-) (?:%{NUMBER:backend_status_code:int}|-) %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "(?:%{WORD:verb}|-) (?:%{GREEDYDATA:request}|-) (?:HTTP/%{NUMBER:httpversion}|-( )?)" "%{DATA:userAgent}"( %{NOTSPACE:ssl_cipher} %{NOTSPACE:ssl_protocol})?' ]
  }
}
这将导致Elasticsearch中的各个字段,其中一个字段是可能值为的请求字段

https://api.example.net:443/v2/domain.com/actions?somefield=somevalue
有没有一种方法可以添加第二个grok筛选器,在它被索引到ES之前,使用正则表达式对该字段进行操作,从而将domain.com和v2提取并索引到各自的单独字段中?

正如leandropjmp所建议的,两个单独的grok块实现了我想要的功能。以下是我一直在寻找的完整解决方案:

filter {

  grok {
    match => [ "message", '%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} (?:%{IP:backend_ip}:%{NUMBER:backend_port:int}|-) %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} (?:%{NUMBER:elb_status_code:int}|-) (?:%{NUMBER:backend_status_code:int}|-) %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} "(?:%{WORD:verb}|-) (?:%{GREEDYDATA:request}|-) (?:HTTP/%{NUMBER:httpversion}|-( )?)" "%{DATA:userAgent}"( %{NOTSPACE:ssl_cipher} %{NOTSPACE:ssl_protocol})?' ]
  }
  grok {
    match => [ "request", '(/(?<request_endpoint>[^/]+)+/(?<request_version>[^/]+)+/(?<request_domain>[^/]+)/(?<request_api>[^/!\?]+))' ]
  }

}

过滤器{
格罗克{
match=>[“message”,“%{TIMESTAMP\u ISO8601:TIMESTAMP}%{NOTSPACE:loadbalancer}%{IP:client\u-IP}:%{NUMBER:client\u-port:int}(?:%{IP:backend\u-IP}:%{NUMBER:backend\u-port:int}-}%{NUMBER:request\u-processing\u-time:float}%{NUMBER:backend\u-processing\u-time:float}%{NUMBER:response\u-processing\u-time:float}%{NUMBER:float:{{NUMBER:backend_status_code:int}|-)%{NUMBER:received_bytes:int}%{NUMBER:sent_bytes:int}(?:%{WORD:verb}|-)(?:%{greedyddata:request}|-)(?:HTTP/%{NUMBER:httpversion}|-())“%{DATA:userAgent}”({NOTSPACE ssl:ssl cipher}%{NOTSPACE ssl:ssl})}]
}
格罗克{
匹配=>[“请求”,“(/(?[^/]+)+/(?[^/]+)+/(?[^/]+)/(?[^/]+)/(?[^/!\?]+)”]
}
}
Logstash过滤器是串行的,只需构建grok过滤器并将其添加到第一个过滤器之后,这次使用
request
字段而不是match选项中的
message
字段。在一个
grok
或两个单独的
grok
块中有两个
match
语句,每个块都有自己的
match
两个分开
grok
块,您可以拥有任意数量的块。感谢您的分享!