Logstash 忽略登录grok的结束部分
我是grok和logstash的新手,我有一个日志文件,用这样的空格分隔Logstash 忽略登录grok的结束部分,logstash,logstash-grok,Logstash,Logstash Grok,我是grok和logstash的新手,我有一个日志文件,用这样的空格分隔 1477879888.908 728 486704579 TCP_REFRESH_UNMODIFIED/304 254 GET http://security.ubuntu.com/ubuntu/dists/precise-security/main/i18n/Index - HIER_DIRECT/91.189.88.162 - 我只想为这一部分填充日志,而忽略其他部分 1477879888.908 728 48670
1477879888.908 728 486704579 TCP_REFRESH_UNMODIFIED/304 254 GET http://security.ubuntu.com/ubuntu/dists/precise-security/main/i18n/Index - HIER_DIRECT/91.189.88.162 -
我只想为这一部分填充日志,而忽略其他部分
1477879888.908 728 486704579 TCP_REFRESH_UNMODIFIED/304 254 GET http://security.ubuntu.com/ubuntu/dists/precise-security/main/i18n/Index
忽略其他部分(我只需要7个空格分隔的数据,忽略其他数据)您可以使用此grok模式
%{BASE10NUM:number1}%{SPACE}%{INT:number2}%{SPACE}%{INT:number3}%{SPACE}%{WORD:msg}/%{INT:number4}%{SPACE}%{INT:number5}%{SPACE}%{WORD:protocol}%{SPACE}%{URI:action}
输入
1477879888.908 728 486704579 TCP_REFRESH_UNMODIFIED/304 254 GET http://security.ubuntu.com/ubuntu/dists/precise-security/main/i18n/Index - HIER_DIRECT/91.189.88.162 -
输出
number1 477879888.908
number2 728
port
number5 254
number4 304
msg TCP_REFRESH_UNMODIFIED
action http://security.ubuntu.com/ubuntu/dists/precise-security/main/i18n/Index
protocol GET
number3 486704579
然后可以合并msg
和number4
以获得新字段tcpMsg
。最后删除msg
、number4
和端口
mutate {
add_field => {
"tcpMsg" => "%{msg}/%{number4}"
}
remove_field => ["msg", "number4","port"]
}
希望这有帮助