Logstash 寻找绿洲原木_Logstash_Elastic Stack_Logstash Grok

Logstash 寻找绿洲原木

logstash

Logstash 寻找绿洲原木,logstash,elastic-stack,logstash-grok,Logstash,Elastic Stack,Logstash Grok,我想为OASIS日志创建一个自定义GROK 2019-10-29 00:36:53Z|User -User trying to login from desktop oasis screen|Cart -|Level -INFO|Severity -Information|Class -oaCheckOut.aspx.vb|Function -Button1_Click : oaCheckOut|UserID: 261343 Cart_ID: 8050513 - Start : Validat

我想为OASIS日志创建一个自定义GROK

2019-10-29 00:36:53Z|User -User trying to login from desktop oasis screen|Cart -|Level -INFO|Severity -Information|Class -oaCheckOut.aspx.vb|Function -Button1_Click : oaCheckOut|UserID: 261343 Cart_ID: 8050513 - Start :  Validate K12PunchinGuest mandatory fields execution

我刚开始吃的那个水果

%{TIMESTAMP_ISO8601:timestamp}\|%{GREEDYDATA:user}\|%{DATA}%{SPACE}\-%{DATA:Level}

我的输出到目前为止

{
  "timestamp": [
    [
      "2019-10-29 00:36:53Z"
    ]
  ],
  "user": [
    [
      "User -User trying to login from desktop oasis screen|Cart -|Level -INFO|Severity -Information|Class -oaCheckOut.aspx.vb|Function -Button1_Click : oaCheckOut"
    ]
  ],
  "Level": [
    [
      ""
    ]
  ]
}

在这里，我无法将用户、级别和严重性分开

实现我期望的最好方法是什么？什么是正确的选择？请帮帮我

请尝试下面的grok

%{TIMESTAMP_ISO8601:timestamp}\|(?:User -%{GREEDYDATA:User})\|(?:Cart -%{GREEDYDATA:Cart})\|(?:Level -%{GREEDYDATA:Level})\|(?:Severity -%{GREEDYDATA:Severity})\|(?:Class -%{GREEDYDATA:Class})\|(?:Function -%{GREEDYDATA:Function})\|(?:UserID: %{BASE10NUM:UserID})\s(?:Cart_ID: %{BASE10NUM:Cart_ID})%{GREEDYDATA}

这太完美了！谢谢：@AngelH